The The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories:
- Vulnerabilities in Cisco Unified Contact Center Express
- Cisco Application Extension Platform Privilege Escalation Vulnerability
Vulnerabilities in Cisco Unified Contact Center Express
Cisco Unified Contact Center Express (UCCX or Unified CCX) contains a denial of service (DoS) vulnerability and a directory traversal vulnerability. These vulnerabilities are independent of each other. Exploitation of these vulnerabilities could result in a DoS condition or an information disclosure.
The vulnerabilities described in this document affect the following products:
- Cisco UCCX versions 5.x, 6.x, and 7.x
- Cisco Customer Response Solution (CRS) versions 5.x, 6.x, and 7.x
- Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 5.x, 6.x, and 7.x
Denial of Service Vulnerability: A DoS vulnerability exists in the computer telephony integration (CTI) server component of the Cisco UCCX product. The CTI server is only started when the Integrated Call Distribution (ICD) license is enabled, Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) deployments are not affected by the CTI server DoS vulnerability. The CTI server listens by default on TCP port 42027, although the port number can be changed in the System Port Parameters screen. This vulnerability is triggered by malformed CTI messages addressed to the vulnerable systems that could cause the CTI server and the Cisco Unified CCX Node Manager to fail, and all active agents will be logged out. The DoS condition will be temporal and the Cisco UCCX system will become operational again once the node manager and the CTI server complete their automatic restart.
Directory Traversal Vulnerability: A directory traversal vulnerability exists in the bootstrap service of the Cisco UCCX product that allows read access to any file on the system. This vulnerability is triggered by bootstrap messages addressed to TCP port 6295. The bootstrap service is used to keep the UCCX configuration synchronized across servers in a high-availability deployment model. All deployment modes can be affected, such as ICD, ICM and IP-IVR, but only if a second node has been added to the configuration. (Nodes can be listed using the Cisco UCCX Administration Web interface with the Server option in the System pull-down taskbar). A high-availability license is not required for a system to be vulnerable.
Successful exploitation of the Cisco UCCX CTI server DoS vulnerability will cause the agents to logout, and the Cisco UCCX server will be temporarily unavailable to agents until the node manager service and CTI server complete their automatic restart. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition. Successful exploitation of the Cisco UCCX bootstrap service directory traversal vulnerability enables an unauthenticated attacker to read any file on the system.
Cisco Application Extension Platform Privilege Escalation Vulnerability
The Cisco Application Extension Platform contains a privilege escalation vulnerability in the tech support diagnostic shell that may allow an authenticated user to obtain administrative access to a vulnerable Cisco Application Extension Platform module. Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability.
The following products are affected by this vulnerability:
- Cisco Application Extension Platform version 1.1
- Cisco Application Extension Platform version 1.1.5 if upgraded from version 1.1
The Cisco Application Extension Platform (AXP) allows third-party applications to be hosted on Cisco Integrated Services Routers (ISR). A privilege escalation vulnerability exists in command-line interface of the the tech support diagnostic shell that may allow an authenticated user to obtain complete administrative access to vulnerable Cisco AXP module. The tech support shell is accessed using the techsupport support shell command. Authenticated Cisco AXP users can use an application programming interface (API) to execute commands on the Cisco ISR that is hosting the AXP module. It may be possible for an AXP user to obtain sensitive configuration information that allows the user to gain access to the ISR device. Cisco AXP version 1.5 requires that a user be configured in the ISR configuration before the AXP user can execute commands using the API.
Successful exploitation of the vulnerability may allow an authenticated user to obtain complete administrative access to a vulnerable Cisco Application Extension Platform module.