Cisco Unified Communications Manager Device Registration SQL Injection Vulnerability

2012-02-2916:23:38

tools.cisco.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

45.1%

JSON

Cisco Unified Communications Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands in a database underlying the affected application.

The vulnerability is due to improper sanitization of input in device registration requests. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to the targeted system. If successful, the attacker could modify application database contents.

Cisco has confirmed the vulnerability in a security advisory and released software updates.

To exploit the vulnerability, an attacker must be able to send device registration requests over the network to the targeted system. This action would likely require that an attacker have internal network access to conduct an exploit. Most sites restrict external access to affected systems The access requirement reduces the potential for attack.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Affected configurations

Vulners

Node

ciscounified_communications_managerMatchany

ciscobusiness_edition_3000_softwareMatchany

ciscobusiness_edition_5000_softwareMatchany

ciscobusiness_edition_6000_softwareMatchany

ciscounified_communications_managerMatchany

ciscobusiness_edition_5000Match3000_software

ciscobusiness_edition_5000Match5000_software

ciscobusiness_edition_5000Match6000_software

VendorProductVersionCPE
ciscounified_communications_manageranycpe:2.3:a:cisco:unified_communications_manager:any:*:*:*:*:*:*:*
ciscobusiness_edition_3000_softwareanycpe:2.3:a:cisco:business_edition_3000_software:any:*:*:*:*:*:*:*
ciscobusiness_edition_5000_softwareanycpe:2.3:a:cisco:business_edition_5000_software:any:*:*:*:*:*:*:*
ciscobusiness_edition_6000_softwareanycpe:2.3:a:cisco:business_edition_6000_software:any:*:*:*:*:*:*:*
ciscobusiness_edition_50003000_softwarecpe:2.3:h:cisco:business_edition_5000:3000_software:*:*:*:*:*:*:*
ciscobusiness_edition_50005000_softwarecpe:2.3:h:cisco:business_edition_5000:5000_software:*:*:*:*:*:*:*
ciscobusiness_edition_50006000_softwarecpe:2.3:h:cisco:business_edition_5000:6000_software:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_communications_manager	any	cpe:2.3:a:cisco:unified_communications_manager:any:::::::*
cisco	business_edition_3000_software	any	cpe:2.3:a:cisco:business_edition_3000_software:any:::::::*
cisco	business_edition_5000_software	any	cpe:2.3:a:cisco:business_edition_5000_software:any:::::::*
cisco	business_edition_6000_software	any	cpe:2.3:a:cisco:business_edition_6000_software:any:::::::*
cisco	business_edition_5000	3000_software	cpe:2.3:h:cisco:business_edition_5000:3000_software:::::::*
cisco	business_edition_5000	5000_software	cpe:2.3:h:cisco:business_edition_5000:5000_software:::::::*
cisco	business_edition_5000	6000_software	cpe:2.3:h:cisco:business_edition_5000:6000_software:::::::*