Cisco issues CallManager security update

Security flaws in Cisco CallManager and Unified Communications Manager could be exploited for cross-site scripting and SQL injection attacks, but a security update is available.

Cisco Systems  has released a security update that addresses flaws in its CallManager and Unified Communications Manager product line. An attacker can exploit the flaws to conduct cross-site scripting and SQL injection attacks.

The networking company said in its cisco-sa-20070829-ccm advisory that the programs are vulnerable to cross-site Scripting (XSS) and SQL injection attacks in the so-called lang variable of the admin and user log-on pages. "A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database," the company said.

Cisco CallManager (CCM) is the software-based call processing component for Cisco's IP telephony product line. Cisco Unified Communications Manager extends enterprise telephony features and capabilities to packet network devices such as IP phones, media processing devices, voice over IP (VoIP) gateways, and multimedia applications, according to the Cisco Web site. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems are made possible through open telephony APIs, Cisco said.

Danish vulnerability clearinghouse Secunia rates the flaws as moderately critical in its SA26641 advisory, describing two specific problems.

The input passed to unspecified parameters to the admin or user logon pages is not properly sanitised before being returned to the user, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Also, input passed to unspecified parameters to the admin or user logon pages is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, Secunia said.

Secunia independently confirmed that the flaws affect Cisco CallManager and Unified Communications Manager released prior to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2 and 4.3(1)sr1. The solution is to update to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2, or 4.3(1)sr1.

Read more on Voice networking and VoIP