Cisco Unified Communications Manager SQL Injection Vulnerability [CVE-2017-3886]
Threat Type: Vulnerability Threat Severity: Medium
Affected Platforms
Known affected releases:
1.0(1.10000.10)
11.5(1.10000.6)
Description
Security researchers have found that Cisco Unified Communications Manager (Cisco Unified CM / CallManager) is vulnerable to an SQL-injection. The attack would compromise the application, allowing data to be accessed and modified as well as exploiting hidden vulnerabilities in the underlying database.
Researchers have reported that only authenticated attackers can exploit the vulnerability in Cisco Unified CM. If exploited, an authenticated, remote attacker could execute arbitrary SQL queries.
A successful SQL injection exploit can lead to the unauthorised exposure of sensitive data from the database, the execution of unauthorised administrative operations on the database and even modification or deletion of the database. Therefore, an attack would impact on the confidentiality, integrity and availability of the system.
The reported vulnerability occurs due to a lack of input validation on HTTP requests which encompass user-provided input. An attacker could exploit this vulnerability by sending constructed HTTP requests that contain malicious SQL statements. The vulnerability can also allow a remote attacker to check if certain data exists in the application.
CVE identifier:
Affected Products:
Known affected releases:
- 1.0(1.10000.10)
- 11.5(1.10000.6)
Known Fixed Releases:
- 12.0(0.98000.619)
- 12.0(0.98000.485)
- 12.0(0.98000.212)
- 11.5(1.13035.1)
- 11.0(1.23900.5)
- 11.0(1.23900.2)
- 11.0(1.23067.1)
- 10.5(2.15900.2)
Remediation
- Ensure any identified vulnerable Cisco Unified CM/ CallManager product versions are included in patch deployment schedules.
- Users are encouraged to patch all relevant programs as quickly as possible.
