30 Oct Security Advisory – SOS-14-001 – Cisco CUCDM IP Phone Services Multiple Vulnerabilities
Release Date: 30-Oct-2014
Last Update: –
Vendor Notification Date: 17-Jan-2014
Product: Cisco Unified Communications Domain Manager
Affected versions: –
Severity Rating: High / Medium / Low
Impact: Privilege escalation
Exposure of sensitive information
Attack Vector: Remote without authentication
Solution Status: Vendor patch
CVE reference: CVE-2014-3278
Multiple high risk security vulnerabilities were detected in the IP phone services of the Cisco Unified Communications Domain Manager (a.k.a. CUCDM or VOSS Solutions Domain Manager). The security vulnerabilities can be used to obtain unauthorised access to the CUCDM services, to bypass the authorisation scheme for the IP phones and to compromise the hosted VoIP services and infrastructure.
Please refer to the PDF version of this advisory for proof of concept code examples.
All vendor security fixes must be installed. All Cisco CUCDM customers must migrate from the BVSMWeb interface of the CUCDM to the Cisco Unified Communication Manager IP telephony management services.
Fatih Ozavci from Sense of Security Labs.