Cisco Releases Patch for 'Vulnerabilities' in Unified Communications Manager and Shores up DDoS Prevention Capabilities

By Peter Bernstein July 19, 2013

It seems there is no corner of the communications and information technology industry that is immune to being compromised. While the headlines continue to be dominated by data breaches and Distributed Denial of Service (DDoS) attacks, you may have missed a piece of news that directly impacts quite a few enterprise communications users. 

None other than Cisco Systems was in the position of alerting their customers and the world that they have released a security patch for their Unified Communications Manager (Unified CM) enterprise telephony product. The reason is to mitigate, what has been publically demonstrated, is the potential for an attack that could allow hackers to take full control of the systems. Cisco also patched DDoS vulnerabilities in its Intrusion Prevention System software. 

Please note before reading the rest of this posting that this is not about something that has happened. In fact, if you read the Cisco quote at bottom of this article you will see that this is an example of the company be proactive in recognition of the potential harm of what has been exposed and that they are on the case to mitigate the risks.

Protection for the Cisco Unified CM

For those unfamiliar, Cisco Unified CM is a call processing component that extends enterprise telephony features and functions to IP phones, media processing devices, VoIP gateways, and multimedia applications. If you are a user of the solution hopefully you are aware of Advirosy ID: Cisco-sa-20130317.cucm,

The link above is to the entire advisory. Rather than try to paraphrase what is a rather lengthy and detailed posting, below is the summary Cisco provides to get you started.

Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM. On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:

  • Blind Structured Query Language (SQL) injection
  • Command injection
  • Privilege escalation

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.

As the document points out, not only was the simulated attack a very nasty piece of business, but it is very sophisticated and could result in attackers gaining total system control.

To its credit Cisco has released a temporary security patch in the form of a Cisco Options Package (COP) called "cmterm-CSCuh01051-2.cop.sgn" that addresses some of the vulnerabilities used in the attack, including the one allowing the initial blind SQL injection. 

The patch can be downloaded from the company website. It is the best protection available until Cisco releases new and patched versions of the Unified CM software. Cisco does explain that the COP file mitigates the initial attack vector and reduces the documented attack surface, but cautions that other vulnerabilities in the attack remain unpatched and are still being investigated but that no workarounds are currently available for them.

As with automobile recalls, Cisco has published the versions of the Unified CM software that are affected by the publically demonstrated attack. These are Versions 7.1.x, 8.5.x, 8.6.x, 9.0.x and 9.1.x. The company also notes that Version 8.0 is also affected, but is no longer supported and customers on this version need to contact Cisco for an upgrade to a supported version.

An ounce of protection is worth a pound of cure

As noted at the top, it is critical to underscore a statement in the advisory.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.”

The old axiom in the sub headline above is a message to be heeded. The release of the advisory is exemplary behavior on the part of Cisco to help protect its customers. However, the publicity this has already generated unfortunately must also be viewed as an invitation to the bad guys that they have a window of opportunity to exploit if you don’t act fast. In short, if you are a Cisco user of one of the versions affected and have not already downloaded the patches, delay on doing so would to say the least be ill-advised. 

The release of the patches also highlights to important things. First, Cisco has handled the exposure of possible vulnerabilities responsibly and expeditiously which is the way these types of challenges must be handled. Second, what the demonstration of the potential of an attack highlighted is that as we move toward the world of an “Internet of Things” the vectors of vulnerability are increasing and unfortunately nothing is immune from possible exploitation. It is why making sure you are almost absolutely current on software upgrades and security patches must be a foundational part of risk management. 

Thank you Cisco for the alert.

Edited by Rich Steeves
Related Articles

Is 5G a Spectrum-eating Monster that Destroys Competition?

By: Fred Goldstein    6/15/2018

To hear the current FCC talk about it, 5G mobile service is the be-all and end-all of not only mobile communications, but the answer to most of the co…

Read More

FX Group Makes the Red Carpet Shoppable with Blockchain-Based mCart Marketplace-as-a-Service

By: TMCnet News    6/14/2018

mCart by Mavatar announces the launch of the world's first blockchain-based decentralized mCart marketplace by the FX Group.

Read More

Judge Gives AT&T-Time Warner Deal Green Light

By: Paula Bernier    6/12/2018

Federal judge Richard Leon gave the $85 billion deal the green light today - and without any requirements to sell off any parts of the company. He als…

Read More

A New Foundation for Evolving Blockchain As a Fundamental Network Technology

By: Arti Loftus    6/12/2018

There are now thousands of blockchains, and unless you are a cryptophile, you won't recognize most of them.

Read More