Vulnerability Bulletins |
Ejecución de comandos en Cisco Unified Communications Disaster Recovery Framework |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Compromiso Root |
Dificulty | Avanzado |
Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
Property | Value |
Affected manufacturer | Networking |
Affected software |
Cisco Unified Communications Manager 5.x Cisco Unified Communications Manager 6.x Cisco Unified Communications Manager Business Edition Cisco Unified Precense 1.x Cisco Unified Precense 6.x Cisco Emergency Responder 2.x Cisco Mobility Manager 2.x |
Description |
|
Se ha descubierto una vulnerabilidad en Cisco Unified Communications Manager 5.x, 6.x y Business Edition, Cisco Unified Precense 1.x y 6.x, Cisco Emergency Responder 2.x, y Cisco Mobility Manager 2.x. La vulnerabilidad reside en un error de diseño en el servidor Master Disaster Recovery Framework (DRF) al no pedir autenticación cuando se realizan peticiones desde la red. Un atacante remoto podría causar una denegación de servicio, obtener información sensible, sobreescribir parámetros de configuración o ejecutar comandos arbitrarios con privilegios de administrador mediante el envío de una petición especialmente diseñada al puerto TCP/4040. |
|
Solution |
|
Actualización de software Cisco Cisco Unified Communications Manager 5.x, 6.x y Business Edition / patch ciscocm.CSCso53771.security.patch.cop Cisco Unified Precense 1.x y 6.x / patch ciscocm.CSCso53771.security.patch.cop Cisco Emergency Responder 2.x / patch ciscocm.CSCso53771.security.patch.cop Cisco Mobility Manager 2.x / patch ciscocm.CSCso53771.security.patch.cop http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-utilpage?psrtdcat20e2 |
|
Standar resources |
|
Property | Value |
CVE | CVE-2008-1154 |
BID | 28591 |
Other resources |
|
Cisco Security Advisory (cisco-sa-20080403-drf) http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2008-04-11 |