Skip to main content

Cisco IOS for Unified Communications Manager Express Vulnerability

Last Update Date: 28 Jan 2011 Release Date: 25 Sep 2009 5444 Views

RISK: Medium Risk

A vulnerability has been identified in Cisco IOS for Unified Communications Manager Express, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system. This issue is caused by a buffer overflow error in the login section of the Extension Mobility feature when processing malformed messages while the device is configured for Cisco Unified CME, which could allow an attacker with a registered phone IP address to crash an affected system or execute arbitrary code.

Note: If the auto-registration feature is enabled (by default), an attacker can register its IP address and subsequently exploit the vulnerability.


Impact

  • Denial of Service
  • Remote Code Execution

System / Technologies affected

  • Cisco IOS 12.x

  • Cisco Unified Communications 500 Series


Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Upgrade to fixed versions :
    http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml

    Users with contracts should obtain upgraded software through regular update channels. Most users can obtain upgrades via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/.

    Users without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

    +1 800 553 2447 (toll-free call within North America)
    +1 408 526 7209 (toll call from elsewhere in the world)
    E-mail: [email protected]


Vulnerability Identifier


Source


Related Link