Cisco Products CTL Provider Remote Buffer Overflow Vulnerability
RISK: Medium Risk
A vulnerability has been identified in Cisco Unified CallManager and Unified Communications Manager, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a heap overflow error in the CTL (Certificate Trust List) Provider service "CTLProvider.exe" (port 2444/TCP) when processing user-supplied data, which could be exploited by remote unauthenticated attackers to crash a vulnerable application or execute arbitrary code.
Impact
- Denial of Service
- Remote Code Execution
System / Technologies affected
- Cisco Unified CallManager 4.0
- Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR5c
- Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR3
- Cisco Unified Communications Manager 4.3 versions prior to 4.3(1)SR1
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Apply updates
CUCM 4.0:
Update to a fixed version of CUCM 4.1 or later.CUCM 4.1:
Update to CUCM 4.1(3)SR5c, CUCM 4.1(3)SR6, or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2CUCM 4.2:
Update to CUCM 4.2(3)SR3 or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2CUCM 4.3:
Update to CUCM 4.3(1)SR1, CUCM 4.3(1)SR1a, or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2
Vulnerability Identifier
- No CVE information is available
Source
Related Link
Share with