nSense-2010-003: Cisco Unified Communications Manager

2010-11-09T00:00:00
ID SECURITYVULNS:DOC:25099
Type securityvulns
Reporter Securityvulns
Modified 2010-11-09T00:00:00

Description

   nSense Vulnerability Research Security Advisory NSENSE-2010-003
   ---------------------------------------------------------------

   Affected Vendor:    Cisco Systems, Inc
   Affected Product:   Cisco Unified Communications Manager
   Platform:           All
   Impact:             Privilege Escalation
   Vendor response:    Patch. IntelliShield ID 21656
   CVE:                CVE-2010-3039
   Credit:             Knud / nSense

   Technical details
   ---------------------------------------------------------------

   Cisco Unified Communications Manager contains a setuid binary
   which fails to validate command line arguments. A local user
   can leverage this vulnerability to gain root access by
   supplying suitable arguments to the binary.

   The application also contains unsafe function calls, such as
   sprintf().

   Proof of concept:
   /usr/local/cm/bin/pktCap_protectData -i";id"

   Timeline:
   Aug 21st            Contacted vendor PSIRT
   Aug 23rd            Vendor response. Vulnerability acknowledged
   Aug 23rd            More information sent to vendor
   Sep 2nd             Status update request sent to vendor
   Sep 2nd             Vendor response
   Sep 3rd             Vendor response. More information provided.
   Sep 22nd            Status update request sent to vendor
   Sep 22nd            Vendor response
   Sep 23rd            Vendor response. New release date suggested
   Sep 23rd            Agreed to the October 20th release date
   Sep 23rd            Vendor response
   Oct 6th             Requested schedule information from vendor
   Oct 6th             Vendor response. New release date suggested
   Oct 6th             Sent counterproposal to vendor
   Oct 6th             Vendor response. Requested Wednesday release
   Oct 7th             Agreed to the new release date
   Oct 7th             Vendor response
   Nov 3rd             Vendor confirms release and sends link
   Nov 5th             Advisory published

   A thank you to Matthew Cerha / Cisco PSIRT for the coordination
   effort.

   "Remember, remember the Fifth of November"

   Links:
   http://tools.cisco.com/security/center/viewAlert.x?alertId=21656

   http://www.nsense.fi                       http://www.nsense.dk



   $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
   $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
   $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
   $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
   $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                  D r i v e n   b y   t h e   c h a l l e n g e _