Doing work as stability consultants is remarkably fulfilling. Firms rely on us to perspective their environment from the point of view of an attacker and discover vulnerabilities that could allow threats to triumph. A single of the most impactful elements of our position is when we’re the 1st to obtain a significant vulnerability that could lead to a prevalent compromise further than just our customer.
That’s what happened this calendar year with the Cisco Unified Communications Supervisor (CUCM) IM & Existence appliance. We done an software penetration check against it for a person of our clients. Although doing so, we learned an opening that could impact any individual who employs this equipment. Browse on to find out how we explored the merchandise, how we broke it and how to set it back together.
What Is the CUCM Products?
The CUCM solution is a middleware element that allows enterprises to integrate their various interaction units and take care of them utilizing 1 platform. In limited, it unifies voice, online video, knowledge and mobile purposes on set and cellular networks. Setting up with the Cisco Unified Communications 9., the Cisco Unified Presence technological know-how is integrated in the CUCM. These days, most individuals refer to this option as the CUCM IM & Existence Support. Pretty much every single shopper that uses the Cisco Jabber fast messaging application has the CUCM IM & Presence deployment.
Through the pen exam, we 1st tried using to use the the very least attainable privilege to pinpoint the vulnerabilities that the least trustworthy users can achieve. Then, we developed a reproduction of the equipment in a lab ecosystem. Applying various reverse engineering tactics, we extracted the source code of the internet software applied to regulate the equipment.
By way of equally dynamic testing and assessment of the supply code, we found the pursuing vulnerabilities:
- 3 x Structured Query Language (SQL) injection (CVE-2021-1355, CVE-2021-1364, CVE-2021-1282)
- SQL injection potential customers to arbitrary code execution (CVE-2021-1363, CVE-2021-1365)
- Path traversal (CVE-2021-1357)
- Cross-website scripting (CVE-2021-1407, CVE-2021-1408)
The key goal was to come across vulnerabilities that attackers could exploit to elevate their privilege on the equipment. At first, our crew managed to discover various SQL injection vulnerabilities, but the application experienced a safety module that filtered the person enter. By inspecting this module, we identified a weak spot in the module logic that we employed to bypass it. This permitted one particular to exploit three SQL injection vulnerabilities. An attacker could use this to extract sensitive data from the software databases, together with the administrator password hash.
One particular of the SQL injections was chained with an additional vulnerability — an operating technique command injection vulnerability — to realize arbitrary code execution on the appliance. The chained attack could allow an attacker with low privileges on the appliance to escalate their privilege to root shell obtain. At that point, the attacker could have entire regulate of the appliance, and the entry could be used to move laterally inside the inner network and attack interior belongings and other consumers.
We also learned a local file go through vulnerability in 1 of the application’s endpoints. This could make it possible for an attacker to read any regionally accessible file on the world-wide-web server through the vulnerable endpoint.
At last, we identified a way to bypass and evade application protection controls to exploit a number of mirrored cross-web-site scripting problems on a number of endpoints. An attacker could exploit this vulnerability by constructing a request with an injected destructive payload in the vulnerable parameters and deceive the logged-in users to take a look at it.
The malicious payload injected by the attacker is executed inside the victim’s browser, in the context of that victim’s session. The destructive application allows the attacker to hijack the user session and redirect the sufferer to an attacker-controlled domain or another client-side attack. That may be in-browser keylogging or undertaking arbitrary actions inside the context of the software.
We also discovered delicate info disclosure in one of the software endpoints. This could make it possible for an authenticated attacker to disclose users’ hashed passwords, which could then be recovered making use of a dictionary assault.
Transferring Laterally Via the Company
As a final result of these vulnerabilities, a minimal-privileged user could elevate their privileges to the greatest amount on the CUCM equipment. From there, they could obtain sensitive info, manipulate delicate configurations and install malicious application on the appliance that monitors and data the interaction in between Cisco Jabber end users. An attacker could hijack logged-in consumer sessions or deceive buyers to steal their qualifications. Additionally, considering that the software permits for code execution, an attacker could use it as a foothold inside the network from which to go laterally.
The Following Ways: Decreasing the Hazard of Compromise
So, what should really you do about it? We endorse you put in the most current patch for the Cisco Unified Communications Solutions from the Cisco protection advisories. The patches for both equally the CUCM and the CUCM IM & Presence are demonstrated in the charts down below. Inbound links to the advisories are situated in the References section.
A ongoing penetration screening method can also enable discover and fix these forms of vulnerabilities. Master additional about X-Pressure Red’s penetration tests services here.
On July 21, 2021, X-Power Pink will be internet hosting a virtual panel session about threats versus and vulnerabilities exposing World-wide-web of Items (IoT) equipment. The presenters will include IoT market leaders these as the ioXt Alliance and Silicon Labs.
CUCM IM & Existence SQL injection vulnerability qualified prospects to arbitrary code execution:
CUCM IM & Existence SQL injection vulnerability sales opportunities to community file disclosure and route traversal vulnerabilities:
CUCM cross-web-site scripting vulnerability prospects to assault on other appliance customers: