AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device.
Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp
-
Cisco Unified CVP is an interactive voice response (IVR) system that enables customers to retrieve information they need from the contact center.
Cisco Unified Customer Voice Portal Software SIP INVITE Packet Vulnerability
A malformed SIP INVITE vulnerability exists in the CallServer component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to cause the system to not accept new calls.
The vulnerability is due to improper processing of malformed SIP INVITE packets. An attacker could exploit this vulnerability by sending malformed SIP INVITE packets to a Cisco Unified CVP server.
This vulnerability is documented in Cisco Bug ID CSCua65148 (registered customers only) and has been assigned CVE ID CVE-2013-1220.
Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability
A Tomcat web application vulnerability in the Tomcat Web Management component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to escalate privileges and gain administrator access.
The vulnerability is due to improper configuration of Tomcat components.
This vulnerability is documented in Cisco Bug ID CSCub38384 (registered customers only) and has been assigned CVE ID CVE-2013-1221.
Cisco Unified Customer Voice Portal Software Tomcat Configuration Vulnerability
A Tomcat web application vulnerability in the Tomcat Web Management component of the Cisco Unified CVP could allow an unauthenticated, remote attacker to execute unauthorized user-supplied web applications.
The vulnerability is due to improper configuration of Tomcat components.
This vulnerability is documented in Cisco Bug ID CSCub38379 (registered customers only) and has been assigned CVE ID CVE-2013-1222.
Cisco Unified Customer Voice Portal Software File Access Vulnerability
A file access vulnerability in the log viewer of the Cisco Unified CVP could allow an unauthenticated, remote attacker to view arbitrary system files.
The vulnerability is due to an incorrect parameter check. An attacker could exploit this vulnerability by sending a crafted request to the log viewer.
This vulnerability is documented in Cisco Bug ID CSCub38372 (registered customers only) and has been assigned CVE ID CVE-2013-1223.
Cisco Unified Customer Voice Portal Software Path Traversal Vulnerability
A path traversal vulnerability in the Resource Manager component of the Cisco Unified CVP that could allow an unauthenticated, remote attacker to overwrite system files.
The vulnerability is due to an incorrect parameter check. An attacker could exploit this vulnerability by sending a crafted request to the Resource Manager.
This vulnerability is documented in Cisco Bug ID CSCub38369 (registered customers only) and has been assigned CVE ID CVE-2013-1224.
Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability
A file access vulnerability in the Cisco Unified CVP that could allow an unauthenticated, remote attacker to view arbitrary system files.
The vulnerability is due to a missing check for XML entity expansion. An attacker could exploit this vulnerability by sending a crafted request to the Resource Manager.
This vulnerability is documented in Cisco Bug ID CSCub38366 (registered customers only) and has been assigned CVE ID CVE-2013-1225.
-
A workaround is available for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability documented in Cisco Bug ID CSCub38366 (registered customers only).
A workaround is available for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability documented in Cisco Bug ID CSCub38384 (registered customers only).
To implement the workaround for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability, the communication between the Cisco Unified CVP devices must be secured using SSL. For more information on how to secure the communications between Cisco Unified CVP devices, refer to the "Unified CVP security" section of the Configuration and Administration Guide for Cisco Unified Customer Voice Portal at the following location:
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/cvp9_0/configuration/guide/cvp-configuration-and-administration-guide.pdf
To implement the workaround for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability, the Manager and Host-Manager web applications must be removed manually from the Tomcat instances on CVP servers. Follow the instructions to remove the Manager and Host-Manager web applications:
Stop the services of respective server:
The “manager” and “host-manager” web applications need to be manually removed from Tomcat instances of your CVP servers.
CVP VXML Server
A workaround is available for the CVP: Insecure Tomcat Configuration Instance documented in Cisco Bug ID CSCub38379 (registered customers only).
Go to the C:\Cisco\CVP\VXMLServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
CVP Call Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
CVP Operation Console Server
Go to the C:\Cisco\CVP\OPSConsoleServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
CVP Reporting Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
To implement the workaround for the CVP: Insecure Tomcat Configuration Instance, follow these steps:
Stop the service of VXML Server:
None of the other vulnerabilities published in this document have workarounds.
Go to the C:\Cisco\CVP\VXMLServer\Tomcat\conf folder and edit server.xml file.
Modify autoDeploy to false. Earlier it was true.
<Host appBase="webapps" autoDeploy="false"
Start the Service VXML server.
Additional workaround details are available in the companion Applied Mitigation Bulletin (AMB) at the following location:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28982
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
These vulnerabilities are fixed in the Cisco Unified CVP Software version 9.0.1 ES 11. All customers are encouraged to upgrade to this version or later.
Cisco Unified CVP Software version 9.0.1 ES 11 is available at the following link:
http://software.cisco.com/download/special/release.html?config=c51444496bd899c41331b5ad20b97954
Cisco Unified CVP Software version 8.5.1 ES 24 is available at the following link:
http://software.cisco.com/download/special/release.html?config=63b2b5a81375b982efe33705d44476b7
Cisco Unified CVP Software version 8.0.1 ES 15 is available at the following link:
http://software.cisco.com/download/special/release.html?config=1cbb5a9aab303602c24e4422e8b72e62
Other downloads for Cisco Unified CVP Software are available at the following link:
http://software.cisco.com/download/type.html?mdfid=270563413&catid=null
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
These vulnerabilities were reported to Cisco by Alex Senkevitch.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.4 Updated the link to the Configuration and Administration Guide for Cisco Unified CVP. Workarounds Final 2016-January-05 1.3 Updated the Workarounds section. Final 2013-August-28 1.2 Added location of patches for 8.x releases. 2013-July-30 1.1 Updated the Workarounds and Software Versions and Fixes sections. 2013-May-10 1.0 Initial public release. 2013-May-08
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.