{"id":73973,"date":"2013-07-22T22:18:07","date_gmt":"2013-07-22T22:18:07","guid":{"rendered":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/?p=73973"},"modified":"2016-06-23T13:10:18","modified_gmt":"2016-06-23T13:10:18","slug":"cisco-unified-communications-manager-security-issues","status":"publish","type":"post","link":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/cisco-unified-communications-manager-security-issues\/","title":{"rendered":"Security Issues Addressed for Cisco Unified Communications Manager"},"content":{"rendered":"<p>Cisco has announced that certain versions of <a title=\"Cisco Unified Communications Manager\" href=\"\/manufacturer\/cisco\" onclick=\"ga('send', 'event', 'voip-insider-blog-post', 'click', 'Cisco Unified Communications Manager');\">Cisco Unified Communications Manager<\/a> (Cisco Unified CM) are vulnerable to remote hacker attacks such as<\/p>\n<ul>\n<li>Blind Structured Query Language (SQL) injection<\/li>\n<li>Command injection<\/li>\n<li>Privilege escalation<\/li>\n<\/ul>\n<h2>Temporary Fix<\/h2>\n<p>Cisco explains how they found out about the problem through <a href=\"https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-20130717-cucm\" target=\"_blank\">independent researchers<\/a>:<\/p>\n<p style=\"padding-left: 30px\"><em>On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server.\u00a0<\/em><\/p>\n<p>A Cisco Options Package (COP) file has been released as a temporary fix to shore up the weaknesses and can be found on the\u00a0<a title=\"Cisco download page\" href=\"https:\/\/software.cisco.com\/download\/navigator.html\" target=\"_blank\">Cisco download page<\/a>. Look for the file named:<\/p>\n<ul>\n<li>cmterm-CSCuh01051-2.cop.sgn<\/li>\n<\/ul>\n<h2>Vulnerable Products<\/h2>\n<p>These versions of Cisco Unified CM are known to be vulnerable:<\/p>\n<ul>\n<li>Cisco Unified Communications Manager 7.1(x)<\/li>\n<li>Cisco Unified Communications Manager 8.5(x)<\/li>\n<li>Cisco Unified Communications Manager 8.6(x)<\/li>\n<li>Cisco Unified Communications Manager 9.0(x)<\/li>\n<li>Cisco Unified Communications Manager 9.1(x)<\/li>\n<\/ul>\n<p>These additional Cisco products might be vulnerable to the same products but, they haven&#8217;t been confirmed yet:<\/p>\n<ul>\n<li>Cisco Emergency Responder<\/li>\n<li>Cisco Unified Contact Center Express<\/li>\n<li>Cisco Unified Customer Voice Portal<\/li>\n<li>Cisco Unified Presence Server\/Cisco IM and Presence Service<\/li>\n<li>Cisco Unity Connection<\/li>\n<\/ul>\n<p>Lucian Constantin at PCWorld is also reporting that Cisco has warned users of denial-of-service (DoS) attacks could affect these products:<\/p>\n<ul>\n<li><a title=\"Cisco ASA 5500\" href=\"\/cisco-asa5505-sec-bun-k9\" onclick=\"ga('send', 'event', 'voip-insider-blog-post', 'click', 'Cisco ASA 5500-X Series Adaptive Security Appliances');\">Cisco ASA 5500-X Series Adaptive Security Appliances<\/a><\/li>\n<li>Cisco IPS 4500 Series Sensors<\/li>\n<li>Cisco IPS 4300 Series Sensors<\/li>\n<\/ul>\n<p>Via <a title=\"Cisco\" href=\"https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-20130717-cucm\" target=\"_blank\">Cisco <\/a>and <a title=\"PCWorld\" href=\"http:\/\/www.pcworld.com\/article\/2044643\/cisco-releases-security-patches-to-mitigate-attack-against-unified-communications-manager.html\" target=\"_blank\">PCWorld<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco has announced that certain versions of Cisco Unified Communications Manager (Cisco Unified CM) are vulnerable to remote hacker attacks such as Blind Structured Query Language (SQL) injection Command injection Privilege escalation Temporary Fix Cisco explains how they found out about the problem through independent researchers: On June 6, 2013, a French security firm, Lexfo, [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1026],"tags":[],"class_list":["post-73973","post","type-post","status-publish","format-standard","hentry","category-announcements"],"_links":{"self":[{"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/posts\/73973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/comments?post=73973"}],"version-history":[{"count":11,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/posts\/73973\/revisions"}],"predecessor-version":[{"id":187443,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/posts\/73973\/revisions\/187443"}],"wp:attachment":[{"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/media?parent=73973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/categories?post=73973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.voipsupply.com\/blog\/voip-insider\/wp-json\/wp\/v2\/tags?post=73973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}