Vulnerabilities > CVE-2014-7991 - Cryptographic Issues vulnerability in Cisco Unified Communications Manager

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
cisco
CWE-310
nessus
NVD
Published: 2014-11-14
Updated: 2017-09-08

Summary

The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10.0(1) and earlier does not properly validate the Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof VCS core devices via a crafted certificate issued by a legitimate Certification Authority, aka Bug ID CSCuq86376.

Vulnerable Configurations

Part Description Count
Application
Cisco
139

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL familyCISCO
NASL idCISCO_CUCM_CSCUQ86376.NASL
descriptionAccording to its self-reported version, the remote Cisco Unified Communications Manager (CUCM) device is affected by a security bypass vulnerability due to improper validation of the SAN field in TLS certificates. A remote attacker can impersonate a Cisco TelePresense Video Communication Server (VCS) core device to perform man-in-the-middle (MitM) attacks.
last seen2020-06-01
modified2020-06-02
plugin id80283
published2014-12-29
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/80283
titleCisco Unified Communications Manager TLS SAN Field MitM (CSCuq86376)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80283);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:20");

  script_cve_id("CVE-2014-7991");
  script_bugtraq_id(71013);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq86376");

  script_name(english:"Cisco Unified Communications Manager TLS SAN Field MitM (CSCuq86376)");
  script_summary(english:"Checks the version of Cisco Unified Communications Manager (CUCM).");

  script_set_attribute(attribute:"synopsis", value:"The remote device is affected by a security bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote Cisco Unified
Communications Manager (CUCM) device is affected by a security bypass
vulnerability due to improper validation of the SAN field in TLS
certificates. A remote attacker can impersonate a Cisco TelePresense
Video Communication Server (VCS) core device to perform
man-in-the-middle (MitM) attacks.");
  # https://tools.cisco.com/security/center/viewAlert.x?alertId=36381
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4cf7ec63");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=36381");
  script_set_attribute(attribute:"solution", value:"Apply the relevant patch referenced in the Cisco bug advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ucm_detect.nbin");
  script_require_keys("Host/Cisco/CUCM/Version", "Host/Cisco/CUCM/Version_Display");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver         = get_kb_item_or_exit("Host/Cisco/CUCM/Version");
ver_display = get_kb_item_or_exit("Host/Cisco/CUCM/Version_Display");
app_name    = "Cisco Unified Communications Manager (CUCM)";

fixed_ver = "10.5.2.10000-2";

if (ver_compare(ver:ver, fix:"10.5.2.10000.2", strict:FALSE) >= 0)
  audit(AUDIT_INST_VER_NOT_VULN, app_name, ver_display);

if (report_verbosity > 0)
{
  report =
    '\n  Cisco bug ID      : CSCuq86376'     +
    '\n  Installed release : ' + ver_display +
    '\n  Fixed release     : ' + fixed_ver   +
    '\n';
  security_warning(port:0, extra:report);
}
else security_warning(0);

References