CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-9

Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability

Original Issue Date: March 23, 2009

Severity Rating: High

Systems Affected

Cisco Unified CallManager 4.1 versions
Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b
Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b
Cisco Unified Communications Manager 5.x versions prior to 5.1(3e)
Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
Cisco Unified Communications Manager 7.0 versions prior to 7.0(2)

Overview

A vulnerability has been reported in Cisco Unified Communications Manager that could allow a remote attacker to perform actions on the targeted system with elevated privileges.

Description

Cisco Unified Communications Manager, formerly Call Manager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book ( PAB ) . If Cisco Unified Communications Manager is integrated with an external directory service, the IP Phone Personal Address Book (PAB) Synchronizer feature sends certain passwords over the network in clear text. A remote attacker could exploit this flaw after authentication by monitoring the traffic that is passed between their system and the targeted system. The attacker can obtain the passwords and then use the passwords to gain complete administrative access to the target Cisco Unified Communications Manager system.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory. http://www.cisco.com/en/US/products/products_security_
advisory09186a0080a8643c.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

CISCO
http://www.cisco.com/en/US/products/products_security_
advisory09186a0080a8643c.shtml

CVE Name
CVE-2009-0632

References

CISCO
http://www.cisco.com/en/US/products/products_security_
advisory09186a0080a8643c.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=17775

Security Tracker
http://securitytracker.com/alerts/2009/Mar/1021839.html