usd-2018-0038 | Cisco Unified Communications Manager (CallManager)/11.5.1.15900-18 (likely in all versions)


Advisory ID: usd-2018-0038
CVE Number: N/A
Affected Product: Unified Communications Manager
Affected Version: 11.5.1.15900-18 (likely in all versions)
Vulnerability Type: Exposure of Sensitive Configuration Data
Security Risk: High
Vendor URL: https://www.cisco.com
Vendor Status: Unknown

Description

usd AG discovered that Cisco Unified Communications Manager (CallManager) and connected SX20 TelePresence devices communicate in clear-text. This communication includes the synchronization of configuration data (e.g. user names and passwords) as well as video and audio telephony data. Attackers in a man-in-the-middle position can exploit this to gain access to devices as well as eavesdrop on video conferencing calls. The attacker does not require network access to the CallManager itself to exploit this. A possible scenario could be an attacker who has (short-term) physical access to a conference room with an SX20 or similar device installed.

Cisco Unified Communications Manager (CallManager) is a server component for video conferencing and video telephony infrastructures. A typical setup of Cisco Unified Communications infrastructures includes one or multiple CallManagers connected to a number of video conferencing devices, such as Cisco TelePresence SX20. The TelePresence devices, which can e.g. be located in conference rooms, connect to the CallManagers to retrieve configuration files and when a video call takes place.
usd discovered multiple vulnerabilities in the way these devices interact and within the CallManager itself.

First Proof of Concept: Obtaining configuration data

An attacker with physical access to a video-conferencing room can plant a device which acts as a transparent network bridge between the SX20 device and the network switch. Periodically the SX20 will contact the CallManager to download configuration data. This is done in plain-text from TCP port 6970.

This configuration data will contain the following XML tags:
&ltAdminLoginDetails&gt&ltadminUserId&gtadmin&lt/adminUserId&gt&ltadminPassword&gtpassw0rd!&lt/adminPassword&gt&lt/AdminLoginDetails&gt

Second Proof of Concept: Eavesdropping on audio/video calls

An attacker in a man-in-the-middle position can create network packet captures during video telephony calls. These captures can subsequently be used to extract audio and video data of the call, using videosnarf (https://www.jasonneurohr.com/articles/how-to-replay-h264-video-from-a-packet-capture).

Please note that an attacker who is able to log into the SX20 administration panel on TCP Port 443 can also use the „Extended Logging“ functionality to create similar packet captures. This does not require a man-in-the-middle attack. Attack vectors for obtain administrative access are described in usd-2018-0035, usd-2018-0036 and usd-2018-0037.

Fix

The communication between tele presence devices and the CallManager should use TLS transport encryption with certificate verification. This would ensure that no clear-text data can be intercepted.

Timeline

  • 2018-10-31 Advisory has been sent to psirt@cisco.com
  • 2018-11-09 extended public disclosure deadline to 2019-01-23
  • 2019-01-23 Security advisory released

Credits

This security vulnerability was discovered by Marcus Gruber and Maximilian Boehner of usd AG.