30 Oct Security Advisory – SOS-14-002 – Cisco CUCDM Administration Portal Multiple Vulnerabilities
Release Date: 30-Oct-2014
Last Update: –
Vendor Notification Date: 17-Jan-2014
Product: Cisco Unified Communications Domain Manager
Affected versions: –
Severity Rating: High / Medium / Low
Impact: Privilege escalation
Exposure of sensitive information
Attack Vector: Remote with / without authentication
Solution Status: Vendor patch
CVE reference: CVE-2014-2197
Multiple high risk security vulnerabilities were detected in the administration portal of the Cisco Unified Communications Domain Manager (a.k.a. CUCDM or VOSS Solutions Domain Manager). The security vulnerabilities can be used to obtain unauthorised access to the CUCDM services, to bypass the authorisation scheme, to elevate the current user privileges and to compromise the hosted VoIP services and infrastructure.
Please refer to the PDF version of this advisory for proof of concept code examples.
All vendor security fixes must be installed.
Fatih Ozavci from Sense of Security Labs.