[NEWS] Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer Overflow)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer 
Overflow)
------------------------------------------------------------------------


SUMMARY

Cisco CallManager (CCM) is the software-based call-processing component of 
the Cisco IP telephony solution which extends enterprise telephony 
features and functions to packet telephony network devices such as IP 
phones, media processing devices, voice-over-IP (VoIP) gateways, and 
multimedia applications. Cisco CallManager 3.3 and earlier, 4.0, and 4.1 
are vulnerable to Denial of Service (DoS) attacks, memory leaks, and 
memory corruption which may result in services being interrupted, servers 
rebooting, or arbitrary code being executed.

DETAILS

Vulnerable Systems:
 * Cisco CallManager 3.2 and prior
 * Cisco CallManager 3.3, versions prior to 3.3(5)
 * Cisco CallManager 4.0, versions prior to 4.0(2a)SR2b
 * Cisco CallManager 4.1, versions prior 4.1(3)SR1

CSCed37403 - Resource leak with RISDC -- CallManager does  not time out 
RISDC (Realtime Information Server Data Collection) sockets aggressively 
enough, leading to a scenario where TaskManager indicates that RisDC.exe 
is using large amounts of non-paged pool memory and ports remain in the 
Close_Wait state.
Non-paged pool memory allocation can be checked by opening Microsoft 
Windows Task Manager, going to the View menu, choosing Select Columns and 
selecting Non-paged Pool. Open ports are listed in the output of the 
netstat -an command.

CSCee00116 - Cisco CallManager CTI Manager may restart with greater than 
1GB memory used -- Repeated attacks with crafted packets can cause the CTI 
Manager to allocate greater than 1 gigabyte of virtual memory. Memory 
allocation of the ctimgr.exe process can be checked by viewing the 
Microsoft Windows Task Manager.

CSCee00118 - CallManager may restart with repeated attacks -- Crafted 
packets can cause the CallManager to inappropriately allocate 500MB to the 
ccm.exe process, which will return to the memory pool under normal 
conditions. Repeated attacks may cause a CallManager under load to exhaust 
memory resources and restart.
Memory allocation of the ccm.exe process can be checked by viewing the 
Microsoft Windows Task Manager. Under attack, ccm.exe memory will jump 
repeatedly by 500MB.

CSCef47060 - Failed logins create memory leak when MLA enabled -- When MLA 
(Multi Level Admin) is enabled and there are repeated, failed logons for 
the AST (Admin Service Tool) a memory leak may occur. While under normal 
operations inetinfo.exe will use between 20Mb and 30Mb of memory, systems 
facing this issue showed up to 750Mb of memory used. Memory allocation of 
the inetinfo.exe process can be checked by viewing the Microsoft Windows 
Task Manager. MLA is not on by default and the enable status can be 
checked under CCM/User/Access Rights/MLA Parameters/Enable Multi Level 
Admin.

CSCsa75554 - Vulnerability to DoS and remote execution in aupair service 
-- Crafted packets directed at Cisco CallManager may cause a memory 
allocation failure and buffer overflow resulting in potential execution of 
arbitrary code, abnormal termination of the aupair process, or corruption 
of memory. The aupair.exe process is a database layer between ccm.exe and 
SQL which cannot be disabled for normal Cisco CallManager operation.

When viewing Microsoft Windows Task Manager, the process is aupair.exe, 
but under the Service Control Manager it is called Cisco Database Layer 
Monitor. If the aupair.exe process terminates, a message will be logged to 
the events monitor and a DrWatson report will be generated.

Successful exploitation of the vulnerabilities may result in severe issues 
with Cisco CallManager and related IP telephony services.
Triggering a memory allocation and buffer overflow may allow remote code 
execution and breach of confidentiality. Excess memory allocation can 
cause resource starvation resulting in high CPU utilization, unresponsive 
terminal services, the inability to run CCM Admin, or map drives. This may 
then lead to phones not responding, phones unregistering from the Cisco 
CallManager, or Cisco CallManager restarting.

Vendor Status:
When considering software upgrades, please also consult  
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html> 
http://www.cisco.com/en/US/products/products_security_advisories_listing.html 
and any subsequent advisories to determine exposure and a complete upgrade 
solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") for assistance.

Each row of the Cisco CallManager software table (below) describes a 
release train which will address all of the vulnerabilities mentioned in 
this advisory. If a given release train is vulnerable, then the earliest 
possible releases that contain the fixes (the "First Fixed Release") and 
the anticipated date of availability for each are listed in the 
"Engineering Special," "Service Release," and "Maintenance Release" 
columns. A device running a Cisco CallManager release in the given train 
that is earlier than the release in a specific column (less than the First 
Fixed Release listed in the Engineering Special or Special Release 
columns) is known to be vulnerable to one or more issues. The Cisco  
CallManager should be upgraded at least to the indicated release or a 
later version (greater than or equal to the First Fixed Release label).

+------------------------------------------------------------------------+
|   Train   |  Engineering   |  Service Release   | Maintenance Release  |
|           |    Special     |                    |                      |
|-----------+----------------+--------------------+----------------------|
| 3.2 and   |                |                    | migrate to 3.3 or    |
| earlier   |                |                    | later                |
|-----------+----------------+--------------------+----------------------|
| 3.3       | 3.3(3)ES61 3.3 |                    | 3.3(5)               |
|           | (4)ES25        |                    |                      |
|-----------+----------------+--------------------+----------------------|
| 4.0       | 4.0(2a)ES40    | 4.0(2a)SR2b        | no release planned,  |
|           |                |                    | migrate to 4.1       |
|-----------+----------------+--------------------+----------------------|
|           | 4.1(2)ES33 4.1 |                    | 4.1(4) -- release    |
| 4.1       | (3)ES07        | 4.1(3)SR1          | date to be           |
|           |                |                    | determined           |
+------------------------------------------------------------------------+


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@xxxxxxxxx> Cisco 
Systems.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.