Thursday, August 30, 2007

[NEWS] XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

XSS and SQL Injection in Cisco CallManager/Unified Communications Manager
Logon Page
------------------------------------------------------------------------


SUMMARY

Cisco CallManager and Unified Communications Manager are vulnerable to
cross-site Scripting (XSS) and SQL Injection attacks in the lang variable
of the admin and user logon pages. A successful attack may allow an
attacker to run JavaScript on computer systems connecting to CallManager
or Unified Communications Manager servers, and has the potential to
disclose information within the database.

Cisco has made free software available to address these vulnerabilities
for affected customers.

DETAILS

Affected Products
Vulnerable Products
Cisco CallManager and Unified Communications Manager versions prior to the
following are affected by these vulnerabilities:
* 3.3(5)sr2b
* 4.1(3)sr5
* 4.2(3)sr2
* 4.3(1)sr1

The software version of a CallManager or Unified Communications Manager
system can be determined by navigating to Show > Software via the
administration interface.

For Unified Communications Manager version 5.0, the software version can
also be determined by running the command show version active in the
Command Line Interface (CLI).

For CallManager and Unified Communications Manager version 3.x and 4.x
systems, the software version can be determined by navigating to Help >
About Cisco Unified CallManager and selecting the Details button via the
administration interface.

Note: Cisco Unified CallManager versions 4.3, 5.1 and 6.0 have been
renamed to Cisco Unified Communications Manager. Software versions 3.3,
4.0, 4.1, 4.2 and 5.0 retain the Cisco Unified CallManager name.

Products Confirmed Not Vulnerable
No other Cisco products are known to be affected by this vulnerability.

No other versions of CallManager or Unified Communications Manager are
vulnerable.

Details
Cisco Unified CallManager/Communications Manager (CUCM) is the call
processing component of the Cisco IP telephony solution which extends
enterprise telephony features and functions to packet telephony network
devices such as IP phones, media processing devices, voice-over-IP (VoIP)
gateways, and multimedia applications.

The cross-site scripting vulnerability and the SQL injection vulnerability
are triggered when a specially crafted value is entered in the lang
variable of either the admin or user logon pages. Attacks against these
vulnerabilities are conducted through the web interface and use the http
or https protocol. In the case of the cross-site scripting vulnerability,
the malicious value includes scripting code enclosed by the <script> and
</script> tags. In the case of the SQL injection vulnerability, the value
terminates the SQL call and completes a call to the back-end database.

An attacker must be able to convince a user into following a specially
crafted URL in order to successfully exploit the cross-site scripting
vulnerability.

The cross-site scripting vulnerability is documented as bug ID
<http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi10728> CSCsi10728 ( registered customers only) .

The SQL injection vulnerability is documented as bug ID
<http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi64265> CSCsi64265 ( registered customers only) .

Impact
An attacker could exploit the cross-site scripting vulnerability to steal
account credentials or run unauthorized JavaScript on the client system.

An attacker could exploit the SQL injection vulnerability to read a single
value from the database. Several successful attacks could disclose
information about the database, information such as user names and
passwords, and information from call records such as the time calls are
placed and the numbers dialed. This vulnerability cannot be used to alter
or delete call record information from the database.

Workarounds
There are no workarounds for these vulnerabilities.

Cross-site scripting, also known as XSS, is a flaw within web applications
that enables malicious users, vulnerable websites, or owners of malicious
websites to send malicious code to the browsers of unsuspecting users. The
malicious code is usually in the form of a script embedded in the URL of a
link or the code may be stored on the vulnerable server or malicious
website. The browser will execute the malicious script because the web
content is assumed to be from a trusted site and the browser does not have
a way to validate the URL or HTML content. A main source of XSS attacks is
websites that do not properly validate user-submitted content for
dynamically generated web pages.

Because of the nature of XSS vulnerabilities, network mitigation
techniques are generally ineffective. To reduce the risk of users becoming
victims of XSS attacks, users should be educated about the URL
verification limitations of browsers. Countermeasures should also be
implemented in the browser through scripting controls. Scripting controls
do allow the ability to define policies to restrict code execution.

For additional information on XSS attacks and the methods used to exploit
these vulnerabilities, please refer to the Cisco Applied Intelligence
Response "Understanding Cross-Site Scripting (XSS) Threat Vectors",
available at:
<http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml> http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml.


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml>

http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment