Last week, Cisco released notice of two separate vulnerabilities that affect its Unified Communications Manager, formerly known as Call Manager. The first vulnerability involves two separate overflow problems that could allow a remote, unauthenticated user to launch a Denial of Service attack or execute arbitrary code.

The vulnerable products include Cisco Unified Call Manager versions 3.3, 4.1, 4.2. 4.3 prior to SR1, 5.0, and 5.1 prior to 5.1(2). Cisco Unified Communications Manager version 6.0 and Cisco Call Manager Express are not affected.

One overflow involves the Certificate Trust List Provider service which could allow a malicious user to initiate a DoS or run arbitrary code. The CTL Provider listens on TCP port 2444 but the port is user-configurable. This issue is discussed in Cisco Bug ID CSCsi03042. If this service is not in use, it should be disabled, which will eliminate the vulnerability. Since this service is used primarily during initial configuration, disabling it should not affect the operation of the device under normal circumstances. Cisco provides detailed instructions on disabling the CTL Provider service for versions CUCM version4 and version 5. Cisco also describes a filtering technique that can be used to discard potentially malicious traffic directed at the CUCM device.

Cisco will also release a software fix for the issue. The patch is not yet available.

A second overflow issue involves the Real-Time Information Server and could allow a malicious user the same access as described above. The RIS Data Collector listens on TCP port 2556, but is user-configurable. There is currently no workaround for the RIS vulnerability, but suspected traffic can be filtered out. Additionally, the port number for the RIS server can be configured to use a different port.

The second vulnerability also involves two vectors that could allow a remote user to activate or terminate CUCM/CUPS services and access SNMP configuration information. This environment could produce a DoS affecting CUCM/CUPS cluster systems, as well as exposure of sensitive SNMP information, including community strings.

Vulnerable systems include the Cisco Unified CallManager 5.0 and Communications Manager 5.1 versions up to and including 5.1(2), and the Cisco Unified Presence Server 1.0 versions up to and including 1.0(3).

At present, there is no workaround for this vulnerability. It is possible to limit the administration of CUCM/CUPS services on TCP Port 8443 to trusted nodes and administrative workstations. Cisco will make a software patch available, but it has not yet been released.