Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VoIP)  >   Cisco Unified Communications Manager (CallManager) Vendors:   Cisco
Cisco Unified Communications Manager setuid Binary Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1024694
SecurityTracker URL:
CVE Reference:   CVE-2010-3039   (Links to External Site)
Date:  Nov 8 2010
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6, 7, 8
Description:   A vulnerability was reported in Cisco Unified Communications Manager. A local user can obtain root privileges on the target system.

A local user can supply specially crafted command line arguments to a set user id (setuid) binary to execute arbitrary commands on the target system with root privileges.

The vendor was notified on August 21, 2010.

Cisco has assigned Cisco bug IDs CSCti52041 and CSCti74930 to this vulnerability.

Knud Erik Hjgaard of nSense reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.

 Source Message Contents

Subject:  nSense-2010-003: Cisco Unified Communications Manager

       nSense Vulnerability Research Security Advisory NSENSE-2010-003

       Affected Vendor:    Cisco Systems, Inc
       Affected Product:   Cisco Unified Communications Manager
       Platform:           All
       Impact:             Privilege Escalation
       Vendor response:    Patch. IntelliShield ID 21656
       CVE:                CVE-2010-3039
       Credit:             Knud / nSense

       Technical details

       Cisco Unified Communications Manager contains a setuid binary
       which fails to validate command line arguments. A local user
       can leverage this vulnerability to gain root access by
       supplying suitable arguments to the binary.

       The application also contains unsafe function calls, such as

       Proof of concept:
       /usr/local/cm/bin/pktCap_protectData -i";id"

       Aug 21st            Contacted vendor PSIRT
       Aug 23rd            Vendor response. Vulnerability acknowledged
       Aug 23rd            More information sent to vendor
       Sep 2nd             Status update request sent to vendor
       Sep 2nd             Vendor response
       Sep 3rd             Vendor response. More information provided.
       Sep 22nd            Status update request sent to vendor
       Sep 22nd            Vendor response
       Sep 23rd            Vendor response. New release date suggested
       Sep 23rd            Agreed to the October 20th release date
       Sep 23rd            Vendor response
       Oct 6th             Requested schedule information from vendor
       Oct 6th             Vendor response. New release date suggested
       Oct 6th             Sent counterproposal to vendor
       Oct 6th             Vendor response. Requested Wednesday release
       Oct 7th             Agreed to the new release date
       Oct 7th             Vendor response
       Nov 3rd             Vendor confirms release and sends link
       Nov 5th             Advisory published

       A thank you to Matthew Cerha / Cisco PSIRT for the coordination

       "Remember, remember the Fifth of November"


       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                      D r i v e n   b y   t h e   c h a l l e n g e _

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC