Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
7
Replies

CUCM Vulnerability

Go to solution
J_Fub
Level 1
Level 1

‎05-09-2021 03:07 PM

Good Day,

Can anyone help with the solution to Threat of Anti DNS Pinning in CUCM?

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Adam Pawlowski
VIP Alumni
VIP Alumni

‎05-11-2021 07:22 AM

In general the configuration of the HA Proxy or Tomcat is not accessible, it is configured within the appliance. Some of the controls that are available include setting minimum TLS, adjusting presented ciphers, and controlling session timeouts. Sometimes system behaviors are adjusted when operating in a compliance mode like FIPS 140-2 or Common Criteria, however beyond this it is very likely there is no way to mitigate whatever issue your scanner is determining needs address. You can confirm with Cisco TAC, and then your organization can determine how to accept or mitigate this risk with some other control.

View solution in original post

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to J_Fub

‎05-11-2021 08:24 AM

Before Cisco publish a CSA for this there is likely no one, or at least not that many, in this forum that can answer your question. Your best option is to reach out to TAC and open a SR with them to go into details on this.



Response Signature


View solution in original post

0 Helpful
7 Replies 7

Go to solution
Roger Kallberg
VIP
VIP

‎05-10-2021 09:48 AM

It would be helpful if you where to link to the defect note.



Response Signature


0 Helpful

Go to solution
J_Fub
Level 1
Level 1
In response to Roger Kallberg

‎05-11-2021 12:13 AM

Thanks Roger,

 

These are the defects below;

 

(1) To remove default virtual web-sites which reply to HTTP requests with arbitrary value of the HOST header.

 

(2) On IIS set a non-null 'Host header value' for all web sites.

 

(3) On Apache, set a non-null value of Server Name for all virtual sites (even if there is only one site, it should work as Virtual Host), and ensure that the site does not point to any other sites, but returns an error.

 

 Thanks.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to J_Fub

‎05-11-2021 01:56 AM

Do you have a link for the CSA that Cisco has posted for this defect that you ask about?



Response Signature


0 Helpful

Go to solution
J_Fub
Level 1
Level 1
In response to Roger Kallberg

‎05-11-2021 04:58 AM

Hi Roger,

 

Unfortunately, I do not have the CSA but from the scan tool used to scan for the vulnerabilities these are the detailed results for the vulnerability;

 

Anti DNS Pinning (DNS rebinding) attack allows an attacker to manipulate the correspondence between IP address and fully qualified domain name (FQDN) with the purpose of initialising active content within the trust relationship with the vulnerable site.

 

This technique allows an attacker to use the target browser for obtaining access to protected sites (for example, such sites that are protected by firewall or those that require authentication).

 

Unlike Cross-Site Request Forgery (CSRF), the purpose of Anti DNS Pinning attack is to obtain sensitive data (confidentiality violation), not to perform specific actions with an application (integrity violation). However, used in combination with CSRF, Anti DNS Pinning can allow gaining full access to a web application via user browser. The problem is that server does not sufficiently verify Host field in HTTP request. Server should return an error if the received request includes arbitrary address in Host field.

 

Thanks.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to J_Fub

‎05-11-2021 08:24 AM

Before Cisco publish a CSA for this there is likely no one, or at least not that many, in this forum that can answer your question. Your best option is to reach out to TAC and open a SR with them to go into details on this.



Response Signature


0 Helpful

Go to solution
Adam Pawlowski
VIP Alumni
VIP Alumni

‎05-11-2021 07:22 AM

In general the configuration of the HA Proxy or Tomcat is not accessible, it is configured within the appliance. Some of the controls that are available include setting minimum TLS, adjusting presented ciphers, and controlling session timeouts. Sometimes system behaviors are adjusted when operating in a compliance mode like FIPS 140-2 or Common Criteria, however beyond this it is very likely there is no way to mitigate whatever issue your scanner is determining needs address. You can confirm with Cisco TAC, and then your organization can determine how to accept or mitigate this risk with some other control.

0 Helpful

Go to solution
J_Fub
Level 1
Level 1

‎05-12-2021 03:52 AM

Thanks Roger and Adam for your responses and advice, I will contact Cisco TAC.

 

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents