News Stay informed about the latest enterprise technology news and product updates.

Cisco issues CallManager security update

Security flaws in Cisco CallManager and Unified Communications Manager could be exploited for cross-site scripting and SQL injection attacks, but a security update is available.

Cisco Systems Inc. has released a security update that addresses flaws in its CallManager and Unified Communications...

Manager product line. An attacker can exploit the flaws to conduct cross-site scripting and SQL injection attacks.

The San Jose, Calif.-based networking giant said in its cisco-sa-20070829-ccm advisory that the programs are vulnerable to cross-site Scripting (XSS) and SQL injection attacks in the so-called lang variable of the admin and user log-on pages. "A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database," the vendor said.

Cisco CallManager (CCM) is the software-based call processing component for Cisco's IP telephony product line. Cisco Unified Communications Manager extends enterprise telephony features and capabilities to packet network devices such as IP phones, media processing devices, voice over IP (VoIP) gateways, and multimedia applications, according to the Cisco Web site. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems are made possible through open telephony APIs, Cisco said.

Danish vulnerability clearinghouse Secunia rates the flaws as moderately critical in its SA26641 advisory, describing two specific problems.

The input passed to unspecified parameters to the admin or user logon pages is not properly sanitized before being returned to the user, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Also, input passed to unspecified parameters to the admin or user logon pages is not properly sanitized before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, Secunia said.

Secunia independently confirmed that the flaws affect Cisco CallManager and Unified Communications Manager released prior to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2 and 4.3(1)sr1. The solution is to update to versions 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2, or 4.3(1)sr1.

Dig Deeper on Network device security: Appliances, firewalls and switches



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.