03-23-2015 01:22 PM - edited 03-17-2019 05:00 PM
Hi Team,
We have just deployed external jabber with Expressway-C and E 8.5 version. Our security team has done some security audit and raise some security concern.
Kindly advise if you can on these points.
1- Security team is able to find the target system’s version using Metasploit and also enumerate the verbs allowed from external world.
Enumerated Information:
Version :- Cisco Video Communication Server (Tanderberg) X8.5.1
Verbs Supported :- INVITE, ACK, BYE, CANCEL, INFO, REFER, NOTIFY
2- Username and password stored in clear text in jabber-config.xml file.
Although this is only installed upon successful Jabber login, so user credentials are needed, an employee could use this account to hide any attacks.File Path: C:\Users\UserName\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config\jabber-config.xml
3- Security team was able to send the multiple INVITE flood (i.e.; DOS test) to extension without getting blocked.
4- The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
An attacker could flood the traffic between the endpoint and the destination, trying to force an encryption to downgrade. If
this is possible, an attacker could capture traffic and perform key bruteforcing at a later stage. Numerous insecurities in this
cipher could lead to a successful decryption.
03-23-2015 05:19 PM
Regarding point 3, is this flooding INVITES on the VCS expressway??
03-24-2015 12:03 AM
Yes it is from Expressway to internal CUCM network
03-24-2015 07:49 PM
03-25-2015 02:57 AM
Thank you very much Jonathan,
For point one, I am not clear, the security auditor told us that they are able to find the version of system and enumerate the verbs.
Attacker can check for version specific vulnerabilities on internet and perform the targeted attack. | Able to find the target system’s version using Metasploit and also enumerate the verbs allowed from external world. Enumerated Information: Version :- Cisco Video Communication Server (Tanderberg) X8.5.1 Verbs Supported :- INVITE, ACK, BYE, CANCEL, INFO, REFER, NOTIFY | High | It’s recommended to hide the system version and also the supported verbs. |
for third point following is the detail.
Attacker can generate multiple such request and flood the SIP gateway or particular extension leading to Denial of service. | We were able to send the multiple INVITE flood (i.e.; DOS test) to XXXX@example.com extension without getting blocked. 151.253.1.52:5060 | High | Its recommended INVITE flood should be blocked by the device, in order to avoid the DOS. |
Appreciate if you could also clear these points.
03-25-2015 08:33 AM
Take a look at the Intrusion Protection features on Expressway-E. The Cisco Expressway Administrator Guide (X8.5) covers this starting on page 29.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide