Next Page >>
voice
Summary
=======
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco
Unified IP Interactive Voice Response (Unified IP-IVR) contain a
directory traversal vulnerability that may allow a remote,
unauthenticated attacker to retrieve arbitrary files from the
filesystem.
Cisco has released free software updates that address this
addressed in this advisory.
There are no workarounds available to mitigate the effects of any of
the vulnerabilities apart from disabling the protocol or feature
itself, if administrators do not require the Cisco IOS device to
provide voice over IP services.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
Affected Products
=================
This vulnerability only affects devices running Cisco IOS Software
with SIP voice services enabled.
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
prior to 4.1 reached end of software maintenance. Customers
should contact their Cisco support team for assistance in
upgrading to a supported version of CiscoWorks QoS Policy
Manager.
* CiscoWorks Voice Manager
+---------------------------------------------------------------+
| Voice Manager Versions | Common Services Versions |
|------------------------------------+--------------------------|
| Prior to 3.0 on Microsoft Windows | Various |
Affected Products
=================
These vulnerabilities only affect devices running Cisco IOS Software
with SIP voice services enabled.
Vulnerable Products
+------------------
Cisco devices are affected when they are running affected Cisco IOS
packet vulnerability that affects devices running certain 7.x software
versions if the software has one or more features configured that cause
TLS sessions to terminate on the PIX or ASA security appliance. These
functions include, but are not limited to, clientless WebVPN, HTTPS
management, cut-through proxy for network access, and TLS proxy for
encrypted voice inspection. Version 6.3.x is not affected. Features that
cause TLS sessions to terminate on the PIX and ASA security appliances
are not enabled by default. For specific affected versions, please refer
to the "Software Versions and Fixes" section.
In addition to the PIX and ASA security appliances,
ASA and Cisco PIX devices that use TLS:
* Clientless WebVPN, SSL VPN Client, and AnyConnect Connections
* ASDM (HTTPS) Management Sessions
* Cut-Through Proxy for Network Access
* TLS Proxy for Encrypted Voice Inspection
Clientless WebVPN, SSL VPN Client, and AnyConnect Connections
+------------------------------------------------------------
Clientless WebVPN, SSL VPN Client, and AnyConnect connections are
Cisco devices are affected when they are running affected Cisco IOS
Software and Cisco IOS XE Software versions that are configured to
process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the "dial-peer voice"
configuration command will start the SIP processes, causing the Cisco
IOS device to process SIP messages. In addition, several features in
Cisco Unified Communications Manager Express, such as ephones, will
automatically start the SIP process when they are configured, which
could cause the affected device to start processing SIP messages. An
Affected Products
=================
These vulnerabilities only affect devices running Cisco IOS Software
with SIP voice services enabled.
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
Cisco IP Phone CP-7975G
Vulnerability: Directory Traversal
Reversible Obfuscation Algorithm
SCCP service security issues
CTFTP Information Leaks
Voice VLAN Separation Activated Late
Affected Releases: 7.0, 8.0(2)
Severity: HIGH
________________________________________________________________________
following features is affected:
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
SSL VPN (or WebVPN) is enabled with the "enable <interface name>"
command in "webvpn" configuration mode. SSL VPN is disabled by default.
The following configuration snippet provides an example of a SSL VPN
There is a vulnerability in Windows Media Audio Voice decoder
distributed with Windows Media Player that allows remote code
execution by opening a specially crafted web page.
###################
#The vulnerability#
###################
The cause of the vulnerability is a bound checking error in the code
used to decompress Windows Media Audio Voice compressed audio files
=======
Cisco Unified Communications Manager, formerly Cisco Unified
CallManager, contains two denial of service (DoS) vulnerabilities in
the Session Initiation Protocol (SIP) service. An exploit of these
vulnerabilities may cause an interruption in voice services.
Cisco will release free software updates that address these
vulnerabilities and this advisory will be updated as fixed software
becomes available. There are no workarounds for these
vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Voice Portal Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20080521-cvp
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Voice Portal Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20080521-cvp
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Voice Portal Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20080521-cvp
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml
Summary
=======
Cisco Unified Communications Manager (formerly Cisco CallManager)
contains multiple denial of service (DoS) vulnerabilities that if
exploited could cause an interruption of voice services. The Session
Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and
Computer Telephony Integration (CTI) Manager services are affected by
these vulnerabilities.
To address these vulnerabilities, Cisco has released free software
=======
Cisco Unified Communications Manager, which was formerly Cisco
Unified CallManager, contains a denial of service (DoS) vulnerability
in the Session Initiation Protocol (SIP) service. An exploit of this
vulnerability may cause an interruption in voice services.
Cisco has released free software updates that address this
vulnerability. There are no workarounds for this vulnerability.
This advisory is posted at:
=======
Cisco Unified Communications Manager contains two denial of service
(DoS) vulnerabilities that affect the processing of Session
Initiation Protocol (SIP) messages. Exploitation of these
vulnerabilities could cause an interruption of voice services.
To address these vulnerabilities, Cisco has released free software
updates. There is a workaround for these vulnerabilities.
This advisory is posted at
=======
Cisco Unified Communications Manager contains a memory leak
vulnerability that could be triggered through the processing of
malformed Session Initiation Protocol (SIP) messages. Exploitation of
this vulnerability could cause an interruption of voice services.
Cisco has released free software updates for supported Cisco Unified
Communications Manager versions to address the vulnerability. A
workaround exists for this SIP vulnerability.
This advisory is posted at
> *grumble*
> --
> Todd Fries .. todd@fries.net
>
> _____________________________________________
> | \ 1.636.410.0632 (voice)
> | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
> | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
> | "..in support of free software solutions." \ 1.700.227.9094 (IAXTEL)
> | \ 250797 (FWD)
> \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Summary
=======
Cisco Unified Communications Manager (formerly CallManager) contains
multiple denial of service (DoS) vulnerabilities that if exploited
could cause an interruption to voice services. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
Cisco has released free software updates for select Cisco Unified
Communications Manager versions that address these vulnerabilities.
*grumble*
--
Todd Fries .. todd@fries.net
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 1.700.227.9094 (IAXTEL)
| \ 250797 (FWD)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm
Cisco Unified Contact Center Express and Cisco Unified IP Interactive
Voice Response are also affected by this vulnerability, and a
separate advisory has been published at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx
Note: Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
=======
Cisco Unified Communications Manager contains two denial of service
(DoS) vulnerabilities that affect the processing of Session
Initiation Protocol (SIP) messages. Exploitation of these
vulnerabilities could cause an interruption of voice services.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for these vulnerabilities.
This advisory is posted at:
not accept H.323 traffic and putting firewalls in strategic locations
may greatly reduce exposure until an upgrade can be performed.
Cisco provides Solution Reference Network Design (SRND) guides to
help design and deploy networking solutions, which can be found at
http://www.cisco.com/go/srnd Voice Security best practices are
covered in the Cisco Unified Communications SRND Based on Cisco
Unified Communications Manager 6.x at:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/6x/security.html
=======
Cisco Unified Communications Manager, formerly Cisco CallManager,
contains a denial of service (DoS) vulnerability in the Certificate
Authority Proxy Function (CAPF) service. Exploitation of this
vulnerability could cause an interruption in voice services. The CAPF
service is disabled by default.
Cisco has released free software updates that address this
vulnerability. Workarounds available that mitigate this vulnerability
are available.
Cisco Unified Communications Manager contains three DoS
vulnerabilities that involve the processing of SIP messages. Each
vulnerability is triggered by a malformed SIP message that could
cause a critical process to fail, resulting in the disruption of
voice services. All SIP ports (TCP ports 5060 and 5061 and UDP ports
5060 and 5061) are affected.
The first SIP DoS vulnerability is documented in Cisco Bug ID CSCti42904
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2011-1604. This vulnerability is fixed in Cisco Unified
The vulnerabilities described in this document affect the following products:
* Cisco UCCX versions 5.x, 6.x, and 7.x
* Cisco Customer Response Solution (CRS) versions 5.x, 6.x, and 7.x
* Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions
5.x, 6.x, and 7.x
Products Confirmed Not Vulnerable
+--------------------------------
ZDI-09-069: Microsoft Windows Media Player Audio Voice Sample Rate Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-069
October 13, 2009
-- CVE ID:
CVE-2009-0555
-- Affected Vendors:
Microsoft
Next Page>>
|
