Core Issue

These products are vulnerable:

• Cisco Unified CallManager 3.3, versions earlier than 3.3(5)SR3
  
  
• Cisco Unified CallManager 4.1, versions earlier than 4.1(3)SR5
  
  
• Cisco Unified CallManager 4.2, versions earlier than 4.2(3)SR2
  
  
• Cisco Unified Communications Manager 4.3, versions earlier than 4.3(1)SR1
  
  
• Cisco Unified CallManager 5.0 and Communications Manager 5.1, versions earlier than 5.1(2)

Cisco Unified Communications Manager version 6.0 and Cisco CallManager Express are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities.

Cisco Unified Communications Manager, formerly Cisco CallManager, is the call processing component of the Cisco IP telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.

Vulnerability Details

• CTL Provider Service Overflow
  
  The Certificate Trust List (CTL) Provider service of Cisco Unified Communications Manager contains a heap overflow vulnerability that can allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. The CTL Provider service listens on TCP port 2444 by default, but the port is user-configurable. This vulnerability is corrected in these Cisco Unified Communications Manager versions:
  
  
  • 4.1(3)SR5
    
    
  • 4.2(3)SR2
    
    
  • 4.3(1)SR1
    
    
  • 5.1(2)
     
  Cisco Unified Communications Manager 3.x is not affected by this vulnerability.
  
  This issue is documented in Cisco bug ID CSCsi03042.
  
  
• RIS Data Collector Heap Overflow
  
  The Real-Time Information Server (RIS) Data Collector service of Cisco Unified Communications Manager contains a heap overflow vulnerability that can allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The RIS Data Collector process listens on TCP port 2556 by default, but the port is user-configurable. This vulnerability is corrected in these Cisco Unified Communications Manager versions:
  
  
  • 3.3(5)SR2b
    
    
  • 4.1(3)SR5
    
    
  • 4.2(3)SR2
    
    
  • 4.3(1)SR1
    
    
  • 5.1(2)
     
  This issue is documented in Cisco bug ID CSCsi10509.

Resolution

It is possible to workaround the CTL Provider service overflow vulnerability. In order to do this, disable the CTL Provider service if it is not needed. Access to the CTL Provider service is usually only required during the initial configuration of Cisco Unified Communications Manager authentication and encryption features. Refer to these documents:

•    Refer to Service Activation for Cisco Unified Communications Manager 4.x systems.
  
  
•    Refer to Managing Services for Cisco Unified Communications Manager 5.x systems.
     

Filter traffic to affected Cisco Unified Communications Manager systems on screening devices as a mitigation technique for both vulnerabilities:

• Permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the workstation of the administrator, in order to mitigate the CTL Provider service overflow.
  
  
• Permit access to TCP port 2556 only from other Cisco Unified Communications Manager cluster systems in order to mitigate the RIS Data Collector overflow.

It is possible to change the default ports of the CTL Provider (2444/TCP) and RIS Data Collector (2556/TCP) services. If changed, filtering must be based on the values used. The values of the ports can be viewed in the Cisco Unified Communications Manager Administration interface. In order to do this, choose System > Service Parameters, and choose the appropriate service.

There is currently no method to configure filtering directly on a Cisco Unified Communications Manager system.

Although it is often difficult to the block traffic that transits the network, it is possible to identify traffic that must never be allowed to target the infrastructure devices and block that traffic at the border of the network. Infrastructure access lists (ACLs) are considered a network security best practice and must be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The filters must be included as part of an infrastructure access list which protects all devices with IP addresses in the infrastructure IP address range.

Refer to Protecting Your Core: Infrastructure Protection Access Control Lists, which explains guidelines and recommended deployment techniques for infrastructure protection access lists.

Filters that block access to TCP/2444 and TCP/2556 must be deployed at the network edge as part of a transit access list which protects the router where the ACL is configured, as well as other devices behind it. Refer to Transit Access Control Lists: Filtering at Your Edge for more information about transit ACLs.

Cisco will make free software available to address this vulnerability for affected customers. This case will be updated as fixed software becomes available. Prior to the deployment of software, consult the maintenance provider or check the software for feature set compatibility and known issues specific to the environment.

Fixed software for Cisco Unified Communications Manager can be obtained here:

* Cisco strongly recommends to upgrade to Cisco Unified Communications Manager 5.1(2a) or later in order to obtain fixes for the security vulnerabilities described in this case.

Refer to Cisco Security Advisory: Cisco Unified Communications Manager and Presence Server Unauthorized Access Vulnerabilities for more information.