Cisco Releases Patch for 'Vulnerabilities' in Unified Communications Manager and Shores up DDoS Prevention Capabilities

By Peter Bernstein July 19, 2013

It seems there is no corner of the communications and information technology industry that is immune to being compromised. While the headlines continue to be dominated by data breaches and Distributed Denial of Service (DDoS) attacks, you may have missed a piece of news that directly impacts quite a few enterprise communications users. 

None other than Cisco Systems was in the position of alerting their customers and the world that they have released a security patch for their Unified Communications Manager (Unified CM) enterprise telephony product. The reason is to mitigate, what has been publically demonstrated, is the potential for an attack that could allow hackers to take full control of the systems. Cisco also patched DDoS vulnerabilities in its Intrusion Prevention System software. 

Please note before reading the rest of this posting that this is not about something that has happened. In fact, if you read the Cisco quote at bottom of this article you will see that this is an example of the company be proactive in recognition of the potential harm of what has been exposed and that they are on the case to mitigate the risks.

Protection for the Cisco Unified CM

For those unfamiliar, Cisco Unified CM is a call processing component that extends enterprise telephony features and functions to IP phones, media processing devices, VoIP gateways, and multimedia applications. If you are a user of the solution hopefully you are aware of Advirosy ID: Cisco-sa-20130317.cucm,

The link above is to the entire advisory. Rather than try to paraphrase what is a rather lengthy and detailed posting, below is the summary Cisco provides to get you started.

Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM. On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:

  • Blind Structured Query Language (SQL) injection
  • Command injection
  • Privilege escalation

Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.

As the document points out, not only was the simulated attack a very nasty piece of business, but it is very sophisticated and could result in attackers gaining total system control.

To its credit Cisco has released a temporary security patch in the form of a Cisco Options Package (COP) called "cmterm-CSCuh01051-2.cop.sgn" that addresses some of the vulnerabilities used in the attack, including the one allowing the initial blind SQL injection. 

The patch can be downloaded from the company website. It is the best protection available until Cisco releases new and patched versions of the Unified CM software. Cisco does explain that the COP file mitigates the initial attack vector and reduces the documented attack surface, but cautions that other vulnerabilities in the attack remain unpatched and are still being investigated but that no workarounds are currently available for them.

As with automobile recalls, Cisco has published the versions of the Unified CM software that are affected by the publically demonstrated attack. These are Versions 7.1.x, 8.5.x, 8.6.x, 9.0.x and 9.1.x. The company also notes that Version 8.0 is also affected, but is no longer supported and customers on this version need to contact Cisco for an upgrade to a supported version.

An ounce of protection is worth a pound of cure

As noted at the top, it is critical to underscore a statement in the advisory.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.”

The old axiom in the sub headline above is a message to be heeded. The release of the advisory is exemplary behavior on the part of Cisco to help protect its customers. However, the publicity this has already generated unfortunately must also be viewed as an invitation to the bad guys that they have a window of opportunity to exploit if you don’t act fast. In short, if you are a Cisco user of one of the versions affected and have not already downloaded the patches, delay on doing so would to say the least be ill-advised. 

The release of the patches also highlights to important things. First, Cisco has handled the exposure of possible vulnerabilities responsibly and expeditiously which is the way these types of challenges must be handled. Second, what the demonstration of the potential of an attack highlighted is that as we move toward the world of an “Internet of Things” the vectors of vulnerability are increasing and unfortunately nothing is immune from possible exploitation. It is why making sure you are almost absolutely current on software upgrades and security patches must be a foundational part of risk management. 

Thank you Cisco for the alert.

Edited by Rich Steeves
Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More