====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN204
_____________________________________________________________________

DATE                : 16/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Unified Communications
                                       Manager (UCM),
  Cisco Unified Communications Manager Session Management Edition (SME).

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-cucm-taps-path-trav-pfsFO93r
_____________________________________________________________________

Cisco Unified Communications Manager Path Traversal Vulnerability

Priority:        High

Advisory ID:     cisco-sa-cucm-taps-path-trav-pfsFO93r

First Published: 2020 April 15 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvq58268CSCvt33058

CVE-2020-3177

CWE-22

CVSS Score:
7.5  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X


Summary

  o A vulnerability in the Tool for Auto-Registered Phones Support
   (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco
   Unified Communications Manager Session Management Edition (SME) could
   allow an unauthenticated, remote attacker to conduct directory
   traversal attacks on an affected device.

    The vulnerability is due to insufficient validation of user-supplied
    input to the TAPS interface of the affected device. An attacker
    could exploit this vulnerability by sending a crafted request to the
    TAPS interface. A successful exploit could allow the attacker to
    read arbitrary files in the system.

    Cisco has released software updates that address the vulnerability
    described in this advisory. There are no workarounds that address
    this vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r


Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are
    running a vulnerable software release and the auto-registration
    feature is enabled.
    The auto-registration feature is not enabled by default.

       UCM
       UCM SME

    For information about which Cisco software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determine Whether Auto-Registration Is Enabled

    Administrators can use the following steps to determine whether
    auto-registration is enabled:

     1. In Cisco Unified Communications Manager Serviceability, choose
        Tools > Control Center - Feature Services. The Control
        Center-Feature Services window displays.
     2. Choose the Cisco Unified Communications Manager server from the
        Servers drop-down list box. TAPS Service displays in the list in
        the Database and Admin Services column, in Unified CMServices.
     3. Note the status. If TAPS is already activated, Status is shown
        as Activated.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
    advisory are known to be affected by this vulnerability.


Workarounds

  o There are no workarounds that address this vulnerability.


Fixed Software

  o Cisco has released free software updates that address the
    vulnerability described in this advisory. Customers may only install
    and expect support for software versions and feature sets for which
    they have purchased a license. By installing, downloading,
    accessing, or otherwise using such software upgrades, customers
    agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
    have a valid license, procured from Cisco directly, or through a
    Cisco authorized reseller or partner. In most cases this will be a
    maintenance upgrade to software that was previously purchased. Free
    security software updates do not entitle customers to a new software
    license, additional software feature sets, or major revision
    upgrades.

    When considering software upgrades , customers are advised to
    regularly consult the advisories for Cisco products, which are
    available from the Cisco Security Advisories and Alerts page , to
    determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be
    upgraded contain sufficient memory and confirm that current hardware
    and software configurations will continue to be supported properly
    by the new release.
    If the information is not clear, customers are advised to contact
    the Cisco Technical Assistance Center (TAC) or their contracted
    maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
    service contract and customers who make purchases through
    third-party vendors but are unsuccessful in obtaining fixed software
    through their point of sale should obtain upgrades by contacting the
    Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
    prepared to provide the URL of this advisory as evidence of
    entitlement to a free upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed software
    release as indicated in the following table:

    Cisco UCM and SME Major Release First Fixed Release for This
    Vulnerability

    Prior to 10.5                   Migrate to 10.5(2)SU9
    10.5                            10.5(2)SU9
    11.0                            Migrate to 11.5(1)SU7
    11.5                            11.5(1)SU7
    12.0                            Migrate to 12.5(1)SU2
    12.5                            12.5(1)SU2


Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not
    aware of any public announcements or malicious use of the
    vulnerability that is described in this advisory.

Source

  o Cisco would like to thank Brenden Meeder and Lawrence Lauderdale of
    Booz Allen Hamilton for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document
    also contains instructions for obtaining fixed software and
    receiving security vulnerability information from Cisco.

URL

  o
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r


Revision History

  o
+----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |
Date     |

+----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  |
2020-APR-15  |

+----------+---------------------------+----------+--------+--------------+

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================