Wednesday, January 16, 2008

[NEWS] Cisco Unified Communications Manager CTL Provider Heap Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Cisco Unified Communications Manager CTL Provider Heap Overflow
------------------------------------------------------------------------


SUMMARY

Cisco Unified Communications Manager (CUCM), formerly CallManager,
contains a heap overflow vulnerability in the Certificate Trust List (CTL)
Provider service that could allow a remote, unauthenticated user to cause
a denial of service (DoS) condition or execute arbitrary code. There is a
workaround for this vulnerability.

Cisco has made free software available to address these vulnerabilities
for affected customers.

DETAILS

Vulnerable Systems:
* Cisco Unified CallManager version 4.0
* Cisco Unified CallManager version 4.1 prior to 4.1(3)SR5c
* Cisco Unified Communications Manager version 4.2 prior to 4.2(3)SR3
* Cisco Unified Communications Manager version 4.3 prior to 4.3(1)SR1

Immune Systems:
* CUCM versions 3.3, 5.0, 5.1, 6.0 and 6.1
* Cisco CallManager Express

Cisco Unified Communications Manager (CUCM) is the call processing
component of the Cisco IP telephony solution that extends enterprise
telephony features and functions to packet telephony network devices, such
as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and
multimedia applications.

When a CUCM server is deployed in secure mode, a Certificate Trust List
(CTL) is used by Cisco Unified IP Phone devices to verify the identity of
CUCM servers. The CTL contains public keys and other information to allow
the Cisco IP Phone devices to establish a trusted relationship with a CUCM
server. The CTL is provisioned using the CTL Provider service on a CUCM
server and with the CTL Provider client on an administrator workstation.
The CTL Provider service needs to be enabled during the initial
configuration of a CUCM server/cluster or when changes are required to the
CTL. Please consult the Workarounds section of this advisory for
information on how to determine if the CTL Provider service is enabled on
a CUCM server.

The CTL Provider service of the CUCM contains a heap overflow
vulnerability that could allow a remote, unauthenticated user to cause a
DoS condition or execute arbitrary code. The CTL Provider service listens
on TCP port 2444 by default, but the port can be modified by the user.
This issue is documented in Cisco Bug ID CSCsj22605.

Impact
Successful exploitation of this vulnerability may result in a DoS
condition or the execution of arbitrary code.

Workarounds
It is possible to workaround the vulnerability by disabling the CTL
Provider service when not in use. Access to the CTL Provider service is
required for the initial configuration of the CUCM authentication and
encryption features, or during configuration updates. For the CUCM 4.x
systems, please consult the following documentation for details on how to
disable the CUCM services:


<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html> http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html

Filtering traffic to the affected CUCM systems on screening devices can be
used as a mitigation technique for this vulnerability. To mitigate the CTL
Producer service overflow, access to TCP port 2444 should be permitted
only between the CUCM servers and administrator workstations running the
CTL Provider client. There is currently no supported method to configure
filtering directly on a CUCM system.

It is possible to change the default ports of the CTL Provider (TCP port
2444) service. If changed, filtering should be based on the port value
used. The value of the port can be viewed in CUCM Administration interface
by following the System > Service Parameters menu and selecting the CTL
Provider service.

Filters blocking access to TCP port 2444 should be deployed at the network
edge as part of a transit access control list (tACL). Further information
about transit access control lists is available in the white paper
"Transit Access Control Lists: Filtering at Your Edge," which is available
at the following link:

<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory:
<http://www.cisco.com/warp/public/707/cisco-amb-20080116-cucmctl.shtml>

http://www.cisco.com/warp/public/707/cisco-amb-20080116-cucmctl.shtml


CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0027>
CVE-2008-0027


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml>

http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment