cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2188
Views
25
Helpful
8
Replies

CCX Remote Code Execution Vulnerability

cg
Level 1
Level 1

As you may be aware the following critical vulnerability has been released for CCX.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN

 

Does anyone know what port Java Remote Management listens on on the CCX server? Is this just web ports 80/443?

 

 

Contact Center, UCCX

8 Replies 8

Anthony Holloway
Cisco Employee
Cisco Employee

This is from the port utilization guide, so I'd guess it's 6999, but I cannot say for certain.

TCP Ephemeral ports are used to accept connections during Java RMI communication. Java RMI clients know which port it need to connect, because RMI first connects to RMI Registry (well-known port - 6999) and get the information which ephemeral port client need to connect to. AppAdmin, Engine and CVD use RMI communication in CCX/IP-IVR, so TCP ephemeral port range is opened up for intracluster communication between these processes.

Source: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_6_2/configuration/guide/uccx_b_ccx-solution-port-guide-1162/uccx_b_ccx-solution-port-guide-1162_chapter_01.html

 

UPDATE:

In the Read Me for 11.6(2)ES06 it states that it might be TCP 12499. I'm still not certain though.  I just report what I find.

Defect ID Description Severity

CSCvq58289

Cisco UCCX RMI registry port was identified on tcp/12499 exposing JMX w/o Authenitcation

Sev3

 

EDIT: It's both ports and there are two different defects, each addressing one of the ports.

Thanks, I realise there's no work around but just trying to figure out if there's some mitigation that can be done in the interim until we plan the patch and maintenance window. If you run the UCS on its own network behind a firewall is this vulnerable CCX endpoint only used by the UCS servers in the cluster or do agents using finesse need access to these ports?

Finesse doesn't need this port. It's likely just between HA nodes and maybe the editor. Yeah, this is not a very likely attack risk. I bet more people have LDAP over 389 and don't even bat an eye, but Cisco publishes a PSIRT and everyone loses their...

I received a response back from BU - There is a non published option that will allow you to stay on 11.6(2) with the latest ES06 patch. Contacting TAC or your account Manager for the specifics.

Juicy info! Thanks!

 

EDIT: I opened my own TAC case and was told 11.6(2)ES06 does not fully fix the issue, though it does contain a related fix.

 

Also, Lior posted their TAC case notes sharing the same.

hi guys these following are answers from TAC

maybe you can find it helpful..

Q1: Which version should one upgrade to get a complete fix?

 

A: The customer should move to 12.0ES03 to get a complete fix for the vulnerability.

 

Q2: What versions are vulnerable?

 

A: All versions prior to 12.0ES03 are vulnerable. 12.5 is not impacted by this vulnerability.

 

Q3: What should a customer do if they don't wish to upgrade to 12.0ES03?

 

A: The customer should move to 1162ES06 to get a fix for defect CSCvq58289 [Bug-Preview for CSCvq58289] and block port 6999 on the firewall. The port should be blocked towards both UCCX nodes if it is HA deployment.  (Blocking a port on firewall does ensure higher security but is not bullet proof solution if some attacker manages to get past the firewall)

 

Q4: What is the impact of blocking port 6999 on the firewall?

 

A: Port 6999 RMI is used for intracluster communication and also for clients like RTR, script editor. So if customers have RTR or script editor that communicates through the firewall they won't be able to use these clients.

 

Q5: Why defect CSCvq58235  fix can't be ported to 11.x?

 

A: Fixing the problem requires upgrading the apache common collection(ACC) libraries. UCCX 11.x has many components using ACC libraries, and this dependency for all components can not be fulfilled in version 11.6.2.

 

I just wish the defects had the ports listed in them, otherwise it looks like the same exact defect.