Vulnerabilities > CVE-2008-4543 - Resource Management Errors vulnerability in Cisco Unity
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x before 7.0(2)ES8, when using anonymous authentication (aka native Unity authentication), allows remote attackers to cause a denial of service (session exhaustion) via a large number of connections.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 12 |
Common Weakness Enumeration (CWE)
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 31642 CVE(CAN) ID: CVE-2008-4545,CVE-2008-4544,CVE-2008-4543,CVE-2008-4542 Cisco Unity是一个语音和统一的消息平台。 Cisco Unity中存在多个安全漏洞,可能允许恶意用户泄露敏感信息、导致拒绝服务或注入恶意脚本。 1) Cisco Unity中存在跨站脚本漏洞,远程攻击者可以向数据库提供恶意数据,当下一次管理员登录并访问依赖于存储信息的页面时,就可以执行跨站脚本。 2) Unity服务器的会话管理是有限的,这允许恶意用户耗尽所有可用的会话。成功利用这个漏洞要求Unity服务器配置了匿名认证(非默认)。 3) Unity服务器没有对\CommServer\Reports设置安全的权限,域用户可以获得敏感信息。 4) 如果向Unity监听动态UDP端口的服务发送了特制报文的话,就可能导致拒绝服务的情况。 Cisco Unity Server 7.0 Cisco Unity Server 5.0 Cisco Unity Server 4.2 厂商补丁: Cisco ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.cisco.com/warp/public/707/advisory.html target=_blank>http://www.cisco.com/warp/public/707/advisory.html</a> |
id | SSV:4235 |
last seen | 2017-11-19 |
modified | 2008-10-15 |
published | 2008-10-15 |
reporter | Root |
title | Cisco Unity多个远程安全漏洞 |
References
- http://secunia.com/advisories/32187
- http://securitytracker.com/id?1021013
- http://www.cisco.com/en/US/products/products_security_response09186a0080a0d861.html
- http://www.securityfocus.com/bid/31642
- http://www.voipshield.com/research-details.php?id=128
- http://www.vupen.com/english/advisories/2008/2771
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45743