Cisco IOS for Unified Communications Manager Express Vulnerability
RISK: Medium Risk
A vulnerability has been identified in Cisco IOS for Unified Communications Manager Express, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system. This issue is caused by a buffer overflow error in the login section of the Extension Mobility feature when processing malformed messages while the device is configured for Cisco Unified CME, which could allow an attacker with a registered phone IP address to crash an affected system or execute arbitrary code.
Note: If the auto-registration feature is enabled (by default), an attacker can register its IP address and subsequently exploit the vulnerability.
Impact
- Denial of Service
- Remote Code Execution
System / Technologies affected
Cisco IOS 12.x
Cisco Unified Communications 500 Series
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Upgrade to fixed versions :
http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtmlUsers with contracts should obtain upgraded software through regular update channels. Most users can obtain upgrades via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/.
Users without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
+1 800 553 2447 (toll-free call within North America)
+1 408 526 7209 (toll call from elsewhere in the world)
E-mail: [email protected]
Vulnerability Identifier
Source
Related Link
Share with