The UCM is the call processing component of
The most serious vulnerability addressed by the newly released patches can lead to a buffer overflow and is identified as CVE-2013-3462 in the Common Vulnerabilities and Exposures database. This vulnerability can be exploited remotely, but it requires the attacker to be authenticated on the device. "An attacker could exploit this vulnerability by overwriting an allocated memory buffer on an affected device,"
The CVE-2013-3462 vulnerability affects versions 7.1(x), 8.5(x), 8.6(x), 9.0(x) and 9.1(x) of Cisco UCM,
The company also patched three denial-of-service (DoS) flaws that can be remotely exploited by unauthenticated attackers.
One of them, identified as CVE-2013-3459, is caused by improper error handling and can be exploited by sending malformed registration messages to the affected devices. The flaw only affects Cisco UCM 7.1(x) versions.
The second DoS issue is identified as CVE-2013-3460 and is caused by insufficient limiting of traffic received on certain UDP ports. It can be exploited by sending UDP packets at a high rate on those specific ports to devices running versions 8.5(x), 8.6(x), and 9.0(x) of Cisco UCM.
The third vulnerability, identified as CVE-2013-3461, is similar but only affects the Session Initiation Protocol (SIP) port. "An attacker could exploit this vulnerability by sending UDP packets at a high rate to port 5060 on an affected device,"
Patched versions have been released for all UCM release branches affected by these vulnerabilities and there are no known workarounds at the time that would mitigate the flaws without upgrading.
All of the patched vulnerabilities were discovered during internal testing and the company's product security incident response team (PSIRT) is not aware of any cases where these issues have been exploited or publicly documented.
"In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release,"
Most Popular Stories
- Grizzly Bears Could Be Taken Off Endangered List
- Ford Plans New Cars, Jobs in 2014
- 'Rape Insurance' Bill Passes in Michigan
- Hawaii Official Who Release Obama Certificate Only Victim of Plane Crash
- Gold, Silver Slide on Prospects of Fed Exit
- Ted Cruz Coloring Book Selling Briskly
- Boehner Lashes Out Against Ted Cruz, Far Right
- Kim Jong Un's Uncle Executed
- TFA Recruiting DACA Recipients
- Podesta Likely to Reject Keystone XL