-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3504
       Cisco Unity Express Arbitrary Command Execution Vulnerability
                              8 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Unity Express
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15381  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Unity Express Arbitrary Command Execution Vulnerability

Priority: Critical
Advisory ID: cisco-sa-20181107-cue
First Published: 2018 November 7 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvm02856
 
CVE-2018-15381
CVSS Score:
Base 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  * A Java deserialization vulnerability in Cisco Unity Express (CUE) could
    allow an unauthenticated, remote attacker to execute arbitrary shell
    commands with the privileges of the root user.

    The vulnerability is due to insecure deserialization of user-supplied
    content by the affected software. An attacker could exploit this
    vulnerability by sending a malicious serialized Java object to the
    listening Java Remote Method Invocation (RMI) service. A successful exploit
    could allow the attacker to execute arbitrary commands on the device with
    root privileges.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue

Affected Products

  * Vulnerable Products

    This vulnerability affects all releases of Cisco Unity Express prior to
    release 9.0.6. Administrators can use one of the following methods to
    determine which version of software is running on the device:

    Cisco Unity Express - Administration Login Page

    On the Cisco Unity Express Administration login page, under the heading 
    Cisco Unity Express - Administration, the Version field indicates the
    current version of software running on the device.

    Cisco Unity Express - Command Line Interface

    From the CUE CLI, enter the show software versions command. The following
    example shows a device that is running version 9.0.0:

        CUE# show software versions
        Cisco Unity Express Virtual version (9.0.0)
        Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  * Access Control List

    This vulnerability can be exploited over TCP port 1099. The CUE does not
    need this port to be open externally and may be blocked to protect against
    remote exploitation of this vulnerability. An administrator can configure
    an access control list that blocks all traffic with a destination port of
    TCP/1099 from reaching the CUE as shown in the following example:

        interface SM2/0
         ip unnumbered GigabitEthernet0/0
         ip access-group CSCvm02856_Mitigation in
         ip access-group CSCvm02856_Mitigation out
         service-module ip address 192.168.0.2 255.255.255.0
         !Application: CUE Running on SM
         service-module ip default-gateway 192.168.0.1
        !
        ip access-list extended CSCvm02856_Mitigation
         deny   tcp any host 192.168.0.2 eq 1099
         deny   tcp host 192.168.0.2 eq 1099 any
         permit any any

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    This vulnerability is fixed in Cisco Unity Express 9.0.6 and later
    releases. The software can be downloaded from the Software Center Cisco.com
    by navigating to Browse All > Unified Communications > Unified
    Communications Applications > Messaging > Unity Express > Unity Express
    Version 9.

    There are no current plans to release a fixed version of CUE 8.6. Customers
    on CUE 8.6 are recommended to implement the workaround or migrate to CUE
    9.0.6. 

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * Cisco would like to thank Joshua Graham of TSS for reporting this
    vulnerability.

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue

Revision History

  * 
    +----------------------------------------------------------------------------+
    | Version |        Description        | Section | Status |       Date        |
    |---------+---------------------------+---------+--------+-------------------|
    | 1.0     | Initial public release.   | -       | Final  | 2018-November-07  |
    +----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+OI/2aOgq3Tt24GAQistBAAq5BHlXKXWJxn6Xhy7n5CazZDoTzvfbyH
ZvuwPAxWf30Vp8umVCnNNUSei4aJbDy5unzHfbwjLTndmd1HJJaYxH3l+Q6eJFyb
nnVAGqiAJtEP57DsfK20yu7vVjk2jCjIE0T5cgv59t4ulKnRyLpCKouXwLBwca4E
QQeXMGI4Ep5xhswK+uu1FZfGkkkN5bFTSXN7jeyZSIupjctabyA4Fh717TU6EaxY
ok1ih8crEl6Qp9CtUsk7ReJY8+4dvrpGrY9kgmY5BSc9o+MdONrittCaG2ZG0b67
pn9xg71bfcgblc+LqJDGYq8zF0NZyXP/3GZ9VdQm/+C+WNhcFIxLNJoF4u4SLChB
tn+5bYaW0l/7t+2VouJPDc29TVSsbo0m4C1ftprdiMWZqpTAoeyaHSGOpusyZsLb
epkARUVC5jysZhP5/uClGehOGBzh7aArwq6WkicTZBP52JcAb33S91PMP7MTwyfM
IRPqm9MCJUPhi5NNzZQJvfoDPyjUnDl6ph7Y7gDmW6kK6EzFqZPazS/cPhn3gcma
LPIpDMzwKaZ7Mp80ZH2MYB3Fjgrth1J9xiha1Rh1PBusmVrL60oQPvQRuYUYlR3o
zWpLQiVYs0Q6WPWIk41iOOVwRL1ovoj1ZVHFrVGwzbSsmq2otKhppS4YFzBSxxSI
RXZs0E6YhQY=
=9wOn
-----END PGP SIGNATURE-----