Cisco releases security patches to mitigate attack against Unified Communications Manager - robertsfromens

Cisco Systems released a security while for its Unified Communications Manager (Unified Cm) enterprise telephony merchandise in parliamentary procedure to mitigate an attack that could appropriate hackers to take full control of the systems. The troupe also patched defense-of-service vulnerabilities in its Intrusion Prevention Organization software package.

The Cisco Unified CM is a call processing component that extends enterprise telephone features and functions to IP phones, media processing devices, VoIP gateways, and multimedia applications, according to Cisco.

At the beginning of June, researchers from a French security consultancy firm titled Lexfo publicly incontestable an attack that chained jointly multiple "blind" SQL injectant, command injection and privilege escalation vulnerabilities in order to compromise a Lake herring Coordinated CM server.

The demonstration also revealed that all versions of Cisco Unified Curium use a static hard-coded encoding key to encipher sensitive data stored in the server's database, including user credentials.

"The first green-blind SQL injectant allows an unauthenticated, removed attacker to use the hardened-coded encoding key to obtain and decrypt a local drug user account. This allows for a subsequent, genuine blind SQL injection," Cisco said Wednesday in a security consultatory.

"Successful exploitation of the command shot and privilege escalation vulnerabilities could allow an authenticated, remote assaulter to execute arbitrary commands on the underlying operating system with elevated privileges," the company aforesaid.

Cisco has free a security measures patch in the physical body of a Coregonus artedi Options Package (Bull) called "cmterm-CSCuh01051-2.cop.sgn" that addresses some of the vulnerabilities used in the attack, including the one allowing the initial blind SQL injection.

Customers can download the file cabinet from Cisco's web site and install it as a temporary root until the company releases new and patched versions of the Unified CM software.

The COP file in mitigates the initial blast vector and reduces the documented attack surface, Cisco said. Notwithstandin, other vulnerabilities used in the attack remain unpatched.

The remaining vulnerabilities are still being investigated and no workarounds are available for them notwithstandin, the company aforementioned.

Versions 7.1.x, 8.5.x, 8.6.x, 9.0.x and 9.1.x of the Lake herring Unified CM are affected by the publicly demonstrated attack. Version 8.0 is also affected, only is no yearner braced. Customers using this translation are well-advised to contact Lake herring for assistance in upgrading to a supported version.

Other possible threats

The company is also investigating the possibility that some of its other voice products are affected by one or more of the individual vulnerabilities used in the attack. These products are the Cisco Hand brake Respondent, Cisco Unified Contact Inwardness Verbalize, Cisco Unified Customer Voice Portal, Coregonus artedi Unified Presence Server/Cisco IM and Presence Service and Cisco Unity Connection.

On Wednesday, Cisco also advised customers some several denial-of-service vulnerabilities affecting the software running along some of its Intrusion Prevention System (IPS) products.

Products affects past one or individual of those vulnerabilities are the Coregonus artedi ASA 5500-X Series IPS Security department Services Central processing unit (IPS SSP) software program and computer hardware modules; Cisco IPS 4500 Series Sensors; Cisco IPS 4300 Serial Sensors; the Cisco IPS Net Module Enhanced (NME) and the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module.

The company has released patched versions of the Cisco IPS Software for those products, except for the Cisco IDSM-2. A workaround for the vulnerability affecting Coregonus artedi IDSM-2 was successful available.

Source: https://www.pcworld.com/article/452951/cisco-releases-security-patches-to-mitigate-attack-against-unified-communications-manager.html

Posted by: robertsfromens.blogspot.com

Share this post