Home > Security News > Cisco issues CallManager security update
Security News:
EMAIL THIS LICENSING & REPRINTS

Cisco issues CallManager security update

By Bill Brenner, Senior News Writer
30 Aug 2007 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Cisco Systems Inc. has released a security update that addresses flaws in its CallManager and Unified Communications Manager product line. An attacker can exploit the flaws to conduct cross-site scripting and SQL injection attacks.

The San Jose, Calif.-based networking giant said in its cisco-sa-20070829-ccm advisory that the programs are vulnerable to cross-site Scripting (XSS) and SQL injection attacks in the so-called lang variable of the admin and user log-on pages. "A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database," the vendor said.

Cisco CallManager (CCM) is the software-based call processing component for Cisco's IP telephony product line. Cisco Unified Communications Manager extends enterprise telephony features and capabilities to packet network devices such as IP phones, media processing devices, voice over IP (VoIP) gateways, and multimedia applications, according to the Cisco Web site. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems are made possible through open telephony APIs, Cisco said.

Danish vulnerability clearinghouse Secunia rates the flaws as moderately critical in its SA26641 advisory, describing two specific problems.

The input passed to unspecified parameters to the admin or user logon pages is not properly sanitized before being returned to the user, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Also, input passed to unspecified parameters to the admin or user logon pages is not properly sanitized before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, Secunia said.

Secunia independently confirmed that the flaws affect Cisco CallManager and Unified Communications Manager released prior to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2 and 4.3(1)sr1. The solution is to update to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2, or 4.3(1)sr1.



Tags: Network Routers and SwitchesVoIP SecurityNetwork Device ManagementVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts