The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[NEWS] Cisco Call Manager Privilege Escalation


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jan 2006 16:49:13 +0200
Subject: [NEWS] Cisco Call Manager Privilege Escalation
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060120002011.0C5BE5A7A@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Cisco Call Manager Privilege Escalation
------------------------------------------------------------------------


SUMMARY

Cisco CallManager (CCM) is "the software-based call-processing component 
of the Cisco IP telephony solution which extends enterprise telephony 
features and functions to packet telephony network devices such as IP 
phones, media processing devices, voice-over-IP (VoIP) gateways, and 
multimedia applications". Cisco CallManager versions with Multi Level 
Administration (MLA) enabled may be vulnerable to privilege escalations, 
which may result in read-only users gaining administrative access.

Successful exploitation of the vulnerability may result in privilege 
escalation where read-only administrative users can gain full 
administrative privileges and create, delete, or reset devices.

DETAILS

Vulnerable Systems:
 * Cisco CallManager 3.2 and earlier
 * Cisco CallManager 3.3, versions earlier than 3.3(5)SR1
 * Cisco CallManager 4.0, versions earlier than 4.0(2a)SR2c
 * Cisco CallManager 4.1, versions earlier than 4.1(3)SR2

Complete this procedure to check if Multi Level Administration is enabled:
 1. Access CCM Administration with this URL: http://<;CCMServer>/ccmadmin, 
where <CCMServer> specifies the IP address or name of the Cisco 
CallManager server.
 2. Choose User > Access Rights > Configure MLA Parameters. The MLA 
Enterprise Parameter Configuration page displays.
 3. MLA is enabled if the Enable MultiLevelAdmin enterprise parameter is 
set to True.

An administrative user with read-only permission can use a crafted URL on 
the CCMAdmin web page to escalate privileges to a full administrative 
level. This vulnerability applies to users who are authenticated to the 
read-only administrative level. Users with no administrative access and 
users with full administrative permissions continue to work as expected.

Administrative users with access privilege Read Only should not be 
confused with the standard User Group named "Read Only" which is created 
at installation. For further details on user groups and assigning access 
privileges, please refer to this URL:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022471> Multilevel Administration Access Configuration

* CSCef75361, CSCsb12765, CSCsb88649, CSCsc26275?CCMAdmin Read Only User 
Can Escalate Privileges


It is possible to eliminate the ability for an attacker to escalate 
privileges from Read Only to Full Access without applying the service 
release by not using the Read Only access privilege, but instead only 
using the No Access or Full Access privileges. This is not an ideal 
solution, but can provide a temporary workaround.

For detailed instructions on configuring the privileges for a User Group 
within Cisco CallManager 4.1(3) see the Multilevel Administration Access 
Configuration:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022609> Assigning Privileges to a User Group

Section of the Cisco CallManager Administration Guide:
 
<http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_book09186a00803be4ec.html>; Cisco CallManager Administration Guide, Release 4.1(3)


ADDITIONAL INFORMATION

The original article can be found at:
 <http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml>; 
http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру