Details of VAR-E-201409-0018

ID

VAR-E-201409-0018

CVE

cve_id:	CVE-2014-8008	Trust: 1.0
cve_id:	CVE-2014-6271	Trust: 1.0
cve_id:	CVE-2014-6278	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 37816

EDB ID

37816

TITLE

Cisco Unified Communications Manager - Multiple Vulnerabilities - Multiple webapps Exploit

Trust: 1.0

sources: EXPLOIT-DB: 37816

DESCRIPTION

Cisco Unified Communications Manager - Multiple Vulnerabilities. CVE-2014-8008CVE-2014-6271CVE-126132CVE-126131CVE-117422 . webapps exploit for Multiple platform

Trust: 1.0

sources: EXPLOIT-DB: 37816

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	-	version:	-	Trust: 1.0
vendor:	xerox	model:	workcentre	scope:	eq	version:	7245	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7242	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7238	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7235	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7232	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7228	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	78000	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	67000	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9393	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9303	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9302	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9301	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	11	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	linux	scope:	eq	version:	5	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	5	Trust: 0.3
vendor:	mcafee	model:	email gateway patch	scope:	eq	version:	7.01	Trust: 0.3
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.22	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.21	Trust: 0.3
vendor:	ibm	model:	ds8000	scope:	eq	version:	0	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	7.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	6.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	5.3	Trust: 0.3
vendor:	hp	model:	insight control	scope:	eq	version:	0	Trust: 0.3
vendor:	gnu	model:	bash	scope:	eq	version:	4.2	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	wide area application services	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified ip phone	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	network analysis module	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mds	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	gss 4492r global site selector	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	emergency responder	scope:	eq	version:	1.1	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	show and share	scope:	eq	version:	5(2)	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16.2	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 37816

EXPLOIT

Vantage Point Security Advisory 2015-001
========================================

Title: Cisco Unified Communications Manager Multiple Vulnerabilities
Vendor: Cisco
Vendor URL: http://www.cisco.com/
Versions affected: <9.2, <10.5.2, <11.0.1.
Severity: Low to medium
Vendor notified: Yes
Reported: Oct. 2014
Public release: Aug. 13th, 2015
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>

Summary:
--------

Cisco Unified Communications Manager (CUCM) offers services such as session
management, voice, video, messaging, mobility, and web conferencing.

During the last year, Vantage Point Security has reported four security
issues to Cisco as listed below.

1. Shellshock command injection
--------------------------------

Authenticated users of CUCM can access limited functionality via the web
interface and Cisco console (SSH on port 22). Because the SSH server is
configured to process several environment variables from the client and a
vulnerable version of bash is used, it is possible to exploit command
injection via specially crafted environment variables (CVE-2014-6271 a.k.a.
shellshock). This allows an attacker to spawn a shell running as the user
"admin".

Several environment variables can be used to exploit the issue. Example:

$ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com

2. Local File Inclusion
-----------------------

The application allows users to view the contents of any locally accessible
files on the web server through a vulnerability known as LFI (Local File
Inclusion). LFI vulnerabilities are commonly used to download application
source code, configuration files and files containing sensitive information
such as passwords. Exploiting this issue requires a valid user account.

https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml

3. Unauthenticated access to ping command
-----------------------------------------

The pingExecute servlet allows unauthenticated users to execute pings to
arbitrary IP addresses. This could be used by an attacker to enumerate the
internal network. The following URL triggers a ping of the host 10.0.0.1:

https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false

4. Magic session ID allows unauthenticated access to SOAP calls
---------------------------------------------------------------

Authentication for some methods in the EPAS SOAP interface can be bypassed
by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and
"GetLoggedinXMPPUserHandler" are affected.

Fix Information:
----------------

Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1.

References:
-----------

https://tools.cisco.com/quickview/bug/CSCus88031
https://tools.cisco.com/quickview/bug/CSCur49414
https://tools.cisco.com/quickview/bug/CSCum05290
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://tools.cisco.com/security/center/viewAlert.x?alertId=37111

Timeline:
---------

2014/10: Issues reported to Cisco;
2015/07: Confirm that all issues have been fixed.

About Vantage Point Security:
--------------------

Vantage Point is the leading provider for penetration testing and security
advisory services in Singapore. Clients in the Financial, Banking and
Telecommunications industries select Vantage Point Security based on
technical competency and a proven track record to deliver significant and
measurable improvements in their security posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg

Trust: 1.0

sources: EXPLOIT-DB: 37816

EXPLOIT LANGUAGE

txt

Trust: 1.0

sources: EXPLOIT-DB: 37816

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 37816

TYPE

Multiple Vulnerabilities

Trust: 1.0

sources: EXPLOIT-DB: 37816

CREDITS

Bernhard Mueller

Trust: 1.0

sources: EXPLOIT-DB: 37816

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8008	Trust: 1.0
db:	NVD	id:	CVE-2014-6271	Trust: 1.0
db:	EXPLOIT-DB	id:	37816	Trust: 1.0
db:	JUNIPER	id:	JSA10661	Trust: 0.3
db:	JUNIPER	id:	JSA10648	Trust: 0.3
db:	ICS CERT	id:	ICSA-14-269-01	Trust: 0.3
db:	CERT/CC	id:	VU#252743	Trust: 0.3
db:	MCAFEE	id:	SB10085	Trust: 0.3
db:	NVD	id:	CVE-2014-7169	Trust: 0.3
db:	NVD	id:	CVE-2014-6278	Trust: 0.3
db:	BID	id:	70166	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 37816

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140926-bash	Trust: 1.3
url:	https://nvd.nist.gov/vuln/detail/cve-2014-6271	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2014-8008	Trust: 1.0
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04540692	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004879	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685873	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685875	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687971	Trust: 0.3
url:	http://www.gnu.org/software/bash/	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096315	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04478866	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a2e5-5116a33c2fb27/cert_security_mini-_bulletin_xrx15k_for_77xx_r15-03_v1.0.pdf	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686433	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004898	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021279	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04558068	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686246	Trust: 0.3
url:	https://www-304.ibm.com/connections/blogs/psirt/entry/security_bulletin_vulnerabilities_in_bash_affect_certain_qlogic_products_that_ibm_resells_for_bladecenter_and_flex_system_products_cve_2014_6271_c	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685733	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-372538.htm	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004905	Trust: 0.3
url:	http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04561445	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/oct/25	Trust: 0.3
url:	http://www.vmware.com/security/advisories/vmsa-2014-0010.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685673	Trust: 0.3
url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_bash	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004982	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-14-030/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687079	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686445	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/77	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004928	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/29a7e-50e49f9c009f9/cert_security_mini_bulletin_xrx14g_for_77xx_v1.1.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471532	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk102673	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685541	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686479	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04497042	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paps5	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479536	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479492	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004903	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=nas8n1020272	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04512907	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptz	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004911	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2eeef-51056e459c6d8/cert_security_mini-_bulletin_xrx15h_for_p7800_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479505	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=kb83017	Trust: 0.3
url:	http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html?ref=rss	Trust: 0.3
url:	http://lcamtuf.blogspot.in/2014/09/quick-notes-about-bash-bug-its-impact.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004915	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10085	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/supplement-icsa-14-269-01	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183172	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487573	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004945	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096533	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004932	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04488200	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479601	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685749	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a901-510567b876a35/cert_security_mini-_bulletin_xrx15g_for_p6700_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04497075	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479402	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685691	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686131	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10661&cat=sirt_1&actp=list	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479398	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686024	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2b8d8-513128526dd97/cert_security_mini-_bulletin_xrx15m_for_wc75xx_v1_1.pdf	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/76	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685837	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021272	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptm	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a7a1-50f12e334b734/cert_security_mini-_bulletin_xrx14h_for_wc59xx_v1.pdf	Trust: 0.3
url:	https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a20e-5105457a515cc/cert_security_mini-_bulletin_xrx15e_for_wc57xx_v1_0.pdf	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004897	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-377648.htm	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004933	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686037	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04496383	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686098	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487558	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=isg3t1021361	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471546	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686132	Trust: 0.3
url:	http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471538	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685914	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685604	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04475942	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2df3c-51055b159fd50/cert_security_mini_bulletin_xrx15f_for_connectkey_1.5_v1-01.pdf	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183088	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686171	Trust: 0.3
url:	http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686494	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10648	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 37816

SOURCES

db:	BID	id:	70166
db:	EXPLOIT-DB	id:	37816

LAST UPDATE DATE

2023-05-30T10:41:05.543000+00:00

SOURCES UPDATE DATE

db:

BID

id:

70166

date:

2016-07-05T21:53:00

SOURCES RELEASE DATE

db:	BID	id:	70166	date:	2014-09-27T00:00:00
db:	EXPLOIT-DB	id:	37816	date:	2015-08-18T00:00:00