nSense-2010-003: Cisco Unified Communications Manager

Henri Lindberg <henri+lists@xxxxxxxxx> · Fri, 5 Nov 2010 17:01:47 +0200



       nSense Vulnerability Research Security Advisory NSENSE-2010-003
       ---------------------------------------------------------------

       Affected Vendor:    Cisco Systems, Inc
       Affected Product:   Cisco Unified Communications Manager
       Platform:           All
       Impact:             Privilege Escalation
       Vendor response:    Patch. IntelliShield ID 21656
       CVE:                CVE-2010-3039
       Credit:             Knud / nSense

       Technical details
       ---------------------------------------------------------------

       Cisco Unified Communications Manager contains a setuid binary
       which fails to validate command line arguments. A local user
       can leverage this vulnerability to gain root access by
       supplying suitable arguments to the binary.

       The application also contains unsafe function calls, such as
       sprintf().

       Proof of concept:
       /usr/local/cm/bin/pktCap_protectData -i";id"

       Timeline:
       Aug 21st            Contacted vendor PSIRT
       Aug 23rd            Vendor response. Vulnerability acknowledged
       Aug 23rd            More information sent to vendor
       Sep 2nd             Status update request sent to vendor
       Sep 2nd             Vendor response
       Sep 3rd             Vendor response. More information provided.
       Sep 22nd            Status update request sent to vendor
       Sep 22nd            Vendor response
       Sep 23rd            Vendor response. New release date suggested
       Sep 23rd            Agreed to the October 20th release date
       Sep 23rd            Vendor response
       Oct 6th             Requested schedule information from vendor
       Oct 6th             Vendor response. New release date suggested
       Oct 6th             Sent counterproposal to vendor
       Oct 6th             Vendor response. Requested Wednesday release
       Oct 7th             Agreed to the new release date
       Oct 7th             Vendor response
       Nov 3rd             Vendor confirms release and sends link
       Nov 5th             Advisory published

       A thank you to Matthew Cerha / Cisco PSIRT for the coordination
       effort.

       "Remember, remember the Fifth of November"

       Links:
       http://tools.cisco.com/security/center/viewAlert.x?alertId=21656

       http://www.nsense.fi                       http://www.nsense.dk


       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                      D r i v e n   b y   t h e   c h a l l e n g e _