Cisco Releases Patch for 'Vulnerabilities' in Unified Communications Manager and Shores up DDoS Prevention Capabilities

By

It seems there is no corner of the communications and information technology industry that is immune to being compromised. While the headlines continue to be dominated by data breaches and Distributed Denial of Service (DDoS) attacks, you may have missed a piece of news that directly impacts quite a few enterprise communications users. 

None other than Cisco Systems was in the position of alerting their customers and the world that they have released a security patch for their Unified Communications Manager (Unified CM) enterprise telephony product. The reason is to mitigate, what has been publically demonstrated, is the potential for an attack that could allow hackers to take full control of the systems. Cisco also patched DDoS vulnerabilities in its Intrusion Prevention System software. 

Please note before reading the rest of this posting that this is not about something that has happened. In fact, if you read the Cisco quote at bottom of this article you will see that this is an example of the company be proactive in recognition of the potential harm of what has been exposed and that they are on the case to mitigate the risks.

Protection for the Cisco Unified CM

For those unfamiliar, Cisco Unified CM is a call processing component that extends enterprise telephony features and functions to IP phones, media processing devices, VoIP gateways, and multimedia applications. If you are a user of the solution hopefully you are aware of Advirosy ID: Cisco-sa-20130317.cucm,

The link above is to the entire advisory. Rather than try to paraphrase what is a rather lengthy and detailed posting, below is the summary Cisco provides to get you started.

Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM. On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:

  • Blind Structured Query Language (SQL) injection
  • Command injection
  • Privilege escalation

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.

As the document points out, not only was the simulated attack a very nasty piece of business, but it is very sophisticated and could result in attackers gaining total system control.

To its credit Cisco has released a temporary security patch in the form of a Cisco Options Package (COP) called "cmterm-CSCuh01051-2.cop.sgn" that addresses some of the vulnerabilities used in the attack, including the one allowing the initial blind SQL injection. 

The patch can be downloaded from the company website. It is the best protection available until Cisco releases new and patched versions of the Unified CM software. Cisco does explain that the COP file mitigates the initial attack vector and reduces the documented attack surface, but cautions that other vulnerabilities in the attack remain unpatched and are still being investigated but that no workarounds are currently available for them.

As with automobile recalls, Cisco has published the versions of the Unified CM software that are affected by the publically demonstrated attack. These are Versions 7.1.x, 8.5.x, 8.6.x, 9.0.x and 9.1.x. The company also notes that Version 8.0 is also affected, but is no longer supported and customers on this version need to contact Cisco for an upgrade to a supported version.

An ounce of protection is worth a pound of cure

As noted at the top, it is critical to underscore a statement in the advisory.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.”

The old axiom in the sub headline above is a message to be heeded. The release of the advisory is exemplary behavior on the part of Cisco to help protect its customers. However, the publicity this has already generated unfortunately must also be viewed as an invitation to the bad guys that they have a window of opportunity to exploit if you don’t act fast. In short, if you are a Cisco user of one of the versions affected and have not already downloaded the patches, delay on doing so would to say the least be ill-advised. 

The release of the patches also highlights to important things. First, Cisco has handled the exposure of possible vulnerabilities responsibly and expeditiously which is the way these types of challenges must be handled. Second, what the demonstration of the potential of an attack highlighted is that as we move toward the world of an “Internet of Things” the vectors of vulnerability are increasing and unfortunately nothing is immune from possible exploitation. It is why making sure you are almost absolutely current on software upgrades and security patches must be a foundational part of risk management. 

Thank you Cisco for the alert.




Edited by Rich Steeves
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More