Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) are enterprise-class communication software products that provide telephony, videoconferencing, presence information, and high availability of data communication. These products are maintained by Cisco Systems and are used by thousands of customers around the world. Cisco Unified Communications Manager (Unified CM) is an award-winning software solution that is used by thousands of organizations to provide voice, video, and data communication services to remote employees, partners, and customers. Cisco Unified Communications Manager Session Management Edition (Unified CM SME) is a software-based solution that is used by thousands of organizations to provide voice and data communication among remote users. Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) is a software-based solution that is used by thousands of organizations to provide presence information and data communication among remote users. Cisco Unified Communications Manager is a collaboration software platform that enables communication among people, devices, applications, and services. This enables users to collaborate in real-time on voice, video, and data communication.

Description of CVE-2022-20791

Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) are enterprise-class communication software products that provide telephony, videoconferencing, presence information, and high availability of data communication. These products are maintained by Cisco Systems and are used by thousands of customers around the world.

Cisco Unified Communications Manager Overview

Cisco Unified Communications Manager is an enterprise-class communication software product that provides telephony, videoconferencing, presence information, and high availability of data communication. It is renowned for providing a rich set of collaboration features that enable communication among people, devices, applications, and services. Cisco Unified Communications Manager includes the following products:
* Cisco Unified Communications Manager (Unified CM)
* Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
* Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
* Cisco Unified Communicator
Cisco Unified Communication Manager provides a rich set of collaboration features that enable communications among people, devices, applications and services.

Overview of the Vulnerabilities

This paper provides a detailed analysis of the vulnerabilities in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), as well as Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P). The researchers have found the following:
- Multiple memory corruption vulnerabilities in Cisco Unified Communications Manager that can be exploited by an attacker to execute arbitrary code and take control of the vulnerable system.
- Multiple privilege escalation vulnerabilities in Cisco Unified Communications Manager that allow an authenticated attacker to escalate privileges in order to perform malicious activities such as accessing sensitive data or taking ownership of files.
- A cross-site scripting vulnerability in Cisco Unified Communications Manager that allows attackers to read sensitive information on behalf of an authenticated user.
In summary, these flaws could lead to a remote code execution and privilege escalation attack. Additionally, there is also a cross-site scripting vulnerability that allows attackers read sensitive information on behalf of an authenticated user.

Summary of CVE-2022-20791

On 2nd February 2059, Cisco released an update to Cisco Unified Communications Manager that includes an update to the SMPP module related to a security issue. This security issue can allow an attacker to exploit a persistent memory corruption vulnerability that allows the attacker to execute arbitrary code. The vulnerability is known as CVE-2022-20791 and affects products with software versions 7.x, 8.x, 9.x, 10.x and 11.x of Cisco Unified Communications Manager (Unified CM).

Description of Vulnerable Workspace

Cisco Unified Communications Manager is a collaboration software platform that enables communication among people, devices, applications, and services. This enables users to collaborate in real-time on voice, video, and data communication. However, it was reported on the Cisco Security Intelligence Report (CSIR) on September 4th that vulnerabilities had been found in Cisco Unified Communications Manager Phone Edition. These vulnerabilities were not fixable through upgrades or patches because they would require an extensive redesign of the product itself.

Cisco Unified Communications Manager Phone Edition is an enterprise-class software product that includes telephony features such as support for voice trunking and call diversion. As a result of this vulnerability, it was possible for a remote attacker to manipulate the behavior of an affected system by sending fraudulent calls from trusted numbers (such as those of a customer’s employees) to another party within the organization. If this happened, the attack would cause security problems for the organization in question because it would enable attackers to bypass authentication systems used by Cisco Unified Communications Manager Phone Edition.

Timeline

Published on: 07/06/2022 21:15:00 UTC
Last modified on: 07/14/2022 14:51:00 UTC

References