Operating System:

[Cisco][Virtual]

Published:

26 May 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.1385 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1385
       Cisco Unified Communications Manager Multiple Vulnerabilities
                                26 May 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Unified Communications Manager
Publisher:         Cisco Systems
Operating System:  Cisco
                   VMware ESX Server
Impact/Access:     Cross-site Request Forgery     -- Remote with User Interaction
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0749  

Original Bulletin: 
   http://tools.cisco.com/security/center/viewAlert.x?alertId=38964

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Alert

Cisco Unified Communications Manager Multiple Vulnerabilities

Threat Type: CWE-20: Input Validation

IntelliShield ID: 38964

Version: 1

First Published: 2015 May 22 16:07 GMT

Last Published: 2015 May 22 16:07 GMT

Port: Not available

CVE: CVE-2015-0749

Urgency: Unlikely Use

Credibility: Confirmed

Severity: Mild Damage

CVSS Base: 4.3

CVSS Temporal: 3.7

Version Summary: Cisco Unified Communications Manager contains multiple 
vulnerabilities that could allow an unauthenticated, remote attacker to 
conduct cross-site scripting, cross-site request forgery, and phishing 
attacks. Updates are available.

Description

Multiple vulnerabilities in Cisco Unified Communications Manager could allow 
an unauthenticated, remote attacker to conduct cross-site scripting (XSS), 
cross-site request forgery (XSRF), and phishing attacks on the affected 
software.

The vulnerabilities are due to improper input validation of certain parameters
passed to the affected software. An attacker could exploit these 
vulnerabilities by convincing a user to follow a malicious link. A successful
exploit could allow the attacker to execute arbitrary script code in the 
context of the affected site or allow the attacker to access sensitive 
browser-based information.

Cisco has confirmed these vulnerabilities and software updates are available.

Warning Indicators

At the time this alert was first published, Cisco Unified Communications 
Manager 10.5(2.10000.5) was vulnerable. Later versions of Cisco Unified 
Communications Manager may also be vulnerable.

IntelliShield Analysis

To exploit these vulnerabilities, the attacker may provide a link that directs
a user to a malicious site and use misleading language or instructions to 
persuade the user to follow the link.

Vendor Announcements

Cisco has released bug ID CSCut66725 for registered users, which contains 
additional details and an up-to-date list of affected product versions.

Impact

An unauthenticated, remote attacker could exploit these vulnerabilities to 
execute arbitrary script code in the context of the affected site or allow the
attacker to access sensitive browser-based information.

Technical Information

The vulnerabilities are due to improper input validation of certain parameters
passed to the affected software.

An attacker could exploit these vulnerabilities by convincing a user to follow
a malicious link. A successful exploit could allow the attacker to execute 
arbitrary script code in the context of the affected site or allow the 
attacker to access sensitive browser-based information.

Safeguards

Administrators are advised to apply the appropriate updates.

Users should verify that unsolicited links are safe to follow.

For additional information about XSS attacks and the methods used to exploit 
these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding
Cross-Site Scripting (XSS) Threat Vectors.

For additional information about CSRF attacks and potential mitigation 
methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site 
Request Forgery Threat Vectors.

Administrators are advised to monitor affected systems.

Patches/Software

Cisco customers with active contracts can obtain updates through the Software
Center at the following link: Cisco. Cisco customers without contracts can 
obtain upgrades by contacting the Cisco Technical Assistance Center at 
1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com.

Alert History

Initial Release

Product Sets

The security vulnerability applies to the following combinations of products.

Primary Products:

Cisco Cisco Unified Communications Manager 10.5 (2.10000.5)

Associated Products:

N/A

Alerts and bulletins on the Cisco Security Intelligence Operations Portal are
highlighted by analysts in the Cisco Threat Operations Center and represent a
subset of the comprehensive content that is available through Cisco Security 
IntelliShield Alert Manager Service. This customizable threat and 
vulnerability alert service provides security staff with access to timely, 
accurate, and credible information about threats and vulnerabilities that may
affect their environment.

LEGAL DISCLAIMER

The urgency and severity ratings of this alert are not tailored to individual
users; users may value alerts differently based upon their network 
configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED 
THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED 
THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION
IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE
TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES 
THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVWOxahLndAQH1ShLAQKgNxAAuzQ5oAFPB8JyWWuMNOBuvMIAQt5/MyVK
P3K4U7kQEExOlHEPnfH4Uwei9fbRGtfXI3Po7hm2s/vFf5zABesByIS5v1Mf2NnA
0Q1Dp6k//dK3AgDEuLMtTIZAOj0pLDyW4sHbukztbhGSK5X9x/D9n7iwazX6z4oj
XtWIkEnBRs5vCj8n9OKS0A5UV27Gy0dAZv2EnGN3R9xyzpkqUkk8vwZr2oj0P8TH
0Me+hNgQsXNEnnow/sw5rs0n0OAB4ia4mTlSoZG2RfsM5JifG1K0qxqcSQ9/CgWy
aj6xYJZQttoRbYRh1rdd5cF878YUoab4MhgWWPDhJDwa+7VjI+jq4+BJwFaW9xg+
t0hEV0jGr2P9dqOIUgfPqdTWasyRpA0PWaEkJIFF9RFiIyWu0Hxw+VdWefHeyrIX
VAovH0mUJ65Svf8qDoGZiXFFx6yH0yAzkcrxKAzniJdmpPmlMWysQ4Kovbygs/hh
vk1I0B1tsmoK7vc5YRmLTj6aVHE3QRaU+RROU//cs5Mq97J18xe4JfP8rNRKqh4Z
9CQjrdSvMkejWmI1deeaumgH39zGaxghCy7Q2wirQ/YNDl6GSg7OGjqr1QrsGAYJ
ayYNSnL3nnTvRMUCHI1NQO3+cex0Bmc6JMdZwpWk9B8xm18Nq5gd4nEvEMBJnxYE
ZTUQWoGvESM=
=yy8H
-----END PGP SIGNATURE-----