From the Security Experts

August 23, 2013

Cisco's Unified Communications Manager Gets Major Security Patches

By Contributing SIP Trunking Report Writer

It's a sigh of relief for those who use Cisco's Unified Communications Manager (UCM), as the company released several new security patches for the system that address a chain of vulnerabilities that recently came to light in the system. Without the patches, outside intruders had several opportunities to wreak havoc throughout a larger system, executing commands and modifying system data potentially at will.

That sounds like a lot of potential problems stemming from just one vulnerable system, but the problem here was that the system in question, the UCM, served such a major role within Cisco's IP Telephony solution. The UCM represented the entire call processing mechanism for the system, which is required to connect to a variety of other tools, from IP phones to VoIP gateways to media processing systems and several others.

With the security patches not in place, several different issues could arise, including what many consider the most serious, identified as CVE-2013-3462, which could cause a buffer overflow if exploited. The good news on this one is that, while it can be exploited via remote, it requires an attacker that's been authenticated on the system, so it somewhat limits the pool of potential participants. But that wasn't all, as three separate flaws could be accessed remotely by unauthenticated users that could trigger denial of service (DoS) attacks.

These three flaws offered several different venues for attack. The first, CVE-2013-3459, stemmed from improper error handling, allowing attackers to send several malformed registration messages and triggering the DoS, though this could only be found as a problem with UCM 7.1(x) versions. The second issue, CVE-2013-3460, was triggered by sending UDP packets at a high rate to certain UPD ports that had insufficient traffic limiting options, triggering the DoS. This could be found on devices running 8.5(x), 8.6(x), and 9.0(x). Finally, the third, dubbed CVE-2013-3461, only targeted Session Initiation Protocol points and could send UPD packets specifically to port 5060, affecting UCM versions 8.5 (x), 8.6 (x), and 9.0 (1).

The vulnerabilities were found during tests within Cisco itself, and there are no known workarounds to these issues, so at least for now, Cisco UCM is safe. This shows, however, how important continued vigilance actually is. With new attack vectors discovered on a regular basis, keeping a system secure is extremely important. Regular password changes and the like—potentially even going to a two-factor authentication system—will also be helpful in terms of keeping outside attackers at bay.

These days, no system is truly safe for very long, and the sheer necessity of the systems in question make the protection of same especially vital. Thankfully, continuous vigilance can go a long way indeed when it comes to protecting the systems that businesses count on every day.

Edited by Alisen Downey