Summary
=======
Cisco Unified Communications Manager (CUCM), formerly Cisco
CallManager, contains a denial of service (DoS) vulnerability in the
Computer Telephony Integration (CTI) Manager service that may cause
an interruption in voice services and an authentication bypass
vulnerability in the Real-Time Information Server (RIS) Data
Collector that may expose information that is useful for
reconnaissance.
Cisco Unified Communications Manager (formerly Cisco CallManager)
contains multiple denial of service (DoS) vulnerabilities that if
exploited could cause an interruption of voice services. The Session
Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and
Computer Telephony Integration (CTI) Manager services are affected by
these vulnerabilities.
To address these vulnerabilities, Cisco has released free software
updates for select Cisco Unified Communications Manager versions.
There is a workaround for of one the vulnerabilities.
* Cisco AnyConnect VPN Client
* Cisco Adaptive Security Device Manager (ASDM)
* Cisco Building Broadband Service Manager (BBSM)
* Cisco Catalyst Operating System (Catalyst OS)
* Cisco Computer Telephony Integration Object Server (CTI)
* Cisco IOS Software
* Cisco IP/TV
* Cisco Meetingplace
* Cisco Mobile Wireless Fault Mediator (MWFM)
* Cisco NAC Appliance (formerly Cisco Clean Access)
=======
Denial of Service Vulnerabilities
+--------------------------------
A DoS vulnerability exists in the computer telephony integration (CTI) server
component of the Cisco UCCX product. The CTI server is only started when the
Integrated Call Distribution (ICD) license is enabled, Cisco Unified IP
Interactive Voice Response (Cisco Unified IP IVR) deployments are not affected
by the CTI server DoS vulnerability. The CTI server listens by default on TCP
port 42027, although the port number can be changed in the System Port
