Cisco Systems on Wednesday shipped a high priority fix for its Cisco Unified Communications Manager software, formerly known as CallManager.
Cisco gave the flaw, which allows remote code executions, a CVSS Base Score of 10, the highest rating available.
According to Cisco's advisory, CallManager has a heap overflow vulnerability "in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code.
The vulnerability (CVE-2008-0027) affects the following products:
- Cisco Unified CallManager 4.0
- Cisco Unified CallManager 4.1 Versions prior to 4.1(3)SR5c
- Cisco Unified Communications Manager 4.2 Versions prior to 4.2(3)SR3
- Cisco Unified Communications Manager 4.3 Versions prior to 4.3(1)SR1
Here are the technical details of how the vulnerability works:
Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.
When a CUCM server is deployed in secure mode, a Certificate Trust List (CTL) is used by Cisco Unified IP Phone devices to verify the identity of CUCM servers. The CTL contains public keys and other information to allow the Cisco IP Phone devices to establish a trusted relationship with a CUCM server. The CTL is provisioned using the CTL Provider service on a CUCM server and with the CTL Provider client on an administrator workstation. The CTL Provider service needs to be enabled during the initial configuration of a CUCM server/cluster or when changes are required to the CTL. Please consult the Workarounds section of this advisory for information on how to determine if the CTL Provider service is enabled on a CUCM server.
The CTL Provider service of the CUCM contains a heap overflow vulnerability that could allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The CTL Provider service listens on TCP port 2444 by default, but the port can be modified by the user. This issue is documented in Cisco Bug ID CSCsj22605.
Cisco, which includes a more detailed workaround in its advisory, credits TippingPoint for finding the vulnerability, which thus far hasn't been exploited. TippingPoint noted that authentication isn't required to exploit the flaw.