In this Section

Sense of Security – Security Advisory – SOS-14-002 – Cisco CUCDM Administration Portal

pdf_symbol

Sense of Security – Security Advisory – SOS-14-002

Release Date. 30-Nov-2014
Last Update.
Vendor Notification Date. 17-Jan-2014
Product. Cisco Unified Communications Domain Manager
Platform. Cisco Unified Communications Domain Manager
Affected versions. All versions up to 10.5.1
Severity Rating. High / Medium / Low
Impact. Privilege escalation
Security bypass
Exposure of sensitive information
Attack Vector. Remote with/without authentication
Solution Status. Vendor Patch
CVE reference. CVE-2014-2197
 CVE-2014-3277
CVE-2014-3279
CVE-2014-3280
CVE-2014-3282

Details.

Multiple high risk security vulnerabilities were detected in the

administration portal of the Cisco Unified Communications Domain

Manager (a.k.a. CUCDM or VOSS Solutions Domain Manager). The security

vulnerabilities can be used to obtain unauthorised access to the

CUCDM services, to bypass the authorisation scheme, to elevate the

current user privileges and to compromise the hosted VoIP services and

infrastructure. Fatih Ozavci, a Senior Security Consultant with Sense

of Security, has demonstrated these vulnerabilities and additional

design issues at Black Hat USA 2014 and Def Con 22 security events

using the Viproy VoIP Penetration Testing Kit.

 

Details of the vulnerabilities and required security fixes or

workarounds can be found within the following references:

 

  1. Cisco Unified Communications Domain Manager Privilege Escalation

Vulnerability (High Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2197

 

A vulnerability in the web framework of the Cisco Unified Communications

Domain Manager Application Software could allow an authenticated,

remote attacker to elevate privileges and gain administrative access

to the affected system.

 

The vulnerability is due to improper implementation of authentication

and authorisation controls within the Administration GUI. An attacker

could exploit this vulnerability by submitting a crafted URL to change

the administrative credentials of a user. The attacker needs to be

authenticated to the system or convince a valid user of the Administration

GUI to click a malicious link.

 

  1. Cisco Unified Communications Domain Manager Admin Information

Disclosure Vulnerability (Low Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3277

 

A vulnerability in the web framework of the VOSS Operating System

running on the Cisco Unified Communications Domain Manager (Cisco Unified

CDM) Application Software could allow an authenticated, remote attacker

to access information about users and user groups.

 

The vulnerability is due to improper implementation of authentication and

authorisation controls of the VOSS Administration GUI. An attacker could

exploit this vulnerability by submitting a crafted URL to execute

administrative tasks. The attacker must be authenticated as a Location

Administrator or must convince a user with Location Administrator

privileges to click a malicious link.

 

  1. Cisco Unified Communications Domain Manager Admin User Enumeration

Vulnerability (Medium Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3279

 

A vulnerability in the web framework of the VOSS Operating System running

on Cisco Unified Communications Domain Manager (Cisco Unified CDM)

Application Software could allow an unauthenticated, remote attacker

to enumerate valid user accounts.

 

The vulnerability is due to improper implementation of authentication

and authorisation controls when accessing certain web pages of the

Administration GUI. An attacker could exploit this vulnerability by

submitting a crafted URL to the affected system.

 

  1. Cisco Unified Communications Domain Manager Admin Information

Disclosure Vulnerability (Low Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3280

 

A vulnerability in the web framework of the VOSS Operating System running

on the Cisco Unified Communications Domain Manager (Cisco Unified CDM)

Application Software could allow an authenticated, remote attacker to

access certain user information.

 

The vulnerability is due to improper implementation of authentication

and authorisation controls when accessing certain web pages of the

Administration GUI. An attacker could exploit this vulnerability by

submitting a crafted URL to the affected system.

 

  1. Cisco Unified Communications Domain Manager Admin Number Translation

Information Disclosure Vulnerability (Low Risk)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3282

 

A vulnerability in the web framework of the VOSS Operating System running

on the Cisco Unified Communications Domain Manager (Cisco Unified CDM)

Application Software could allow an authenticated, remote attacker to

access information about number translation.

 

The vulnerability is due to improper implementation of authorisation

controls when accessing certain web pages of Administration GUI applications.

An attacker could exploit this vulnerability by submitting a crafted URL

to the affected system. The attacker would need the privileges of a Location

Administrator user to exploit this vulnerability.

 

Exploits and Tools.

Viproy VoIP Penetration Testing and Exploitation Kit.

 

Solution.

All vendor security fixes must be installed.

 

Discovered by.

Fatih Ozavci from Sense of Security Labs.