Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
3
Replies

how to address some Vulnerabilities in cisco collaboration apps

engreda22
Level 1
Level 1

‎06-10-2019 03:51 AM

Dear All ,

As result of PCI , I have to address vulnerabilities related to cucm , cuc and ccx as listed below

1- OpenSSH < 7.0 Multiple Vulnerabilities :-

OpenSSH contains a vulnerability which can allow a remote attacker to bypass the XSECURITY restrictions when forwarding X11 connections by making use of an ineffective
timeout check.

need to upgrade to ssh >7
2- Triple DES Birthday Attack Vulnerability (Sweet32) :-

The Triple-DES cipher algorithm contains a vulnerability which can allow an attacker to recover secure HTTP cookies when performing a man-in-the-middle attack.

need to Disable Triple-DES Ciphers on the system

 

please let me know how to fix those two vulnerabilities

cucm ver 12.0.1

thanks

 

0 Helpful
3 Replies 3

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎06-10-2019 07:01 AM

What are the CVE identifiers for the vulnerabilities identified? Has Cisco published a PSIRT for that CVE with stated plans how they intend to address it?
https://tools.cisco.com/security/center/publicationListing.x

As for the cipher suites, you can now adjust them in CUCM 12.0 but doing so comes with a big warning that you are responsible for testing/qualifying every component in your solution supports stronger ciphers than the ones you disable. Older phones and gateways will be the most likely problematic points.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_01.html#reference_68972012B0460E00571F79B1735FC5E9
0 Helpful

engreda22
Level 1
Level 1
In response to Jonathan Schulenberg

‎06-10-2019 11:20 PM

Thanks Jonathan for your reply.
The CVE of the first vulnerability is CVE-2015-5352 and recorded in non-Cisco product
https://tools.cisco.com/security/center/viewAlert.x?alertId=41120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352
However in PCI scan report it shows in cisco unity and as attached.

Preview file
102 KB
0 Helpful

engreda22
Level 1
Level 1
In response to Jonathan Schulenberg

‎06-10-2019 11:20 PM

 

Also I checked the procedure of changing the cipher suite but it is not applicable in my CM OS
1- From Cisco Unified OS Administration, choose Security > Cipher Management. (this is not available option)
please check attached

Preview file
36 KB
0 Helpful
Customers Also Viewed These Support Documents