Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       Cisco Unity Express Arbitrary Command Execution Vulnerability
                              8 November 2018


        AusCERT Security Bulletin Summary

Product:           Cisco Unity Express
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15381  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Unity Express Arbitrary Command Execution Vulnerability

Priority: Critical
Advisory ID: cisco-sa-20181107-cue
First Published: 2018 November 7 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvm02856
CVSS Score:
Base 9.8


  * A Java deserialization vulnerability in Cisco Unity Express (CUE) could
    allow an unauthenticated, remote attacker to execute arbitrary shell
    commands with the privileges of the root user.

    The vulnerability is due to insecure deserialization of user-supplied
    content by the affected software. An attacker could exploit this
    vulnerability by sending a malicious serialized Java object to the
    listening Java Remote Method Invocation (RMI) service. A successful exploit
    could allow the attacker to execute arbitrary commands on the device with
    root privileges.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:

Affected Products

  * Vulnerable Products

    This vulnerability affects all releases of Cisco Unity Express prior to
    release 9.0.6. Administrators can use one of the following methods to
    determine which version of software is running on the device:

    Cisco Unity Express - Administration Login Page

    On the Cisco Unity Express Administration login page, under the heading 
    Cisco Unity Express - Administration, the Version field indicates the
    current version of software running on the device.

    Cisco Unity Express - Command Line Interface

    From the CUE CLI, enter the show software versions command. The following
    example shows a device that is running version 9.0.0:

        CUE# show software versions
        Cisco Unity Express Virtual version (9.0.0)
        Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.


  * Access Control List

    This vulnerability can be exploited over TCP port 1099. The CUE does not
    need this port to be open externally and may be blocked to protect against
    remote exploitation of this vulnerability. An administrator can configure
    an access control list that blocks all traffic with a destination port of
    TCP/1099 from reaching the CUE as shown in the following example:

        interface SM2/0
         ip unnumbered GigabitEthernet0/0
         ip access-group CSCvm02856_Mitigation in
         ip access-group CSCvm02856_Mitigation out
         service-module ip address
         !Application: CUE Running on SM
         service-module ip default-gateway
        ip access-list extended CSCvm02856_Mitigation
         deny   tcp any host eq 1099
         deny   tcp host eq 1099 any
         permit any any

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free

    Fixed Releases

    This vulnerability is fixed in Cisco Unity Express 9.0.6 and later
    releases. The software can be downloaded from the Software Center Cisco.com
    by navigating to Browse All > Unified Communications > Unified
    Communications Applications > Messaging > Unity Express > Unity Express
    Version 9.

    There are no current plans to release a fixed version of CUE 8.6. Customers
    on CUE 8.6 are recommended to implement the workaround or migrate to CUE

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.


  * Cisco would like to thank Joshua Graham of TSS for reporting this


  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue

Revision History

    | Version |        Description        | Section | Status |       Date        |
    | 1.0     | Initial public release.   | -       | Final  | 2018-November-07  |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967