The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Cisco Unified Communications Manager: commands execution via CTIManager

Synthesis of the vulnerability 

An attacker can send illicit Kerberos tickets to CTIManager of Cisco Unified Communications Manager, in order to run arbitrary commands.
Impacted systems: Cisco CUCM.
Severity of this alert: 3/4.
Creation date: 12/08/2014.
Références of this alert: 35258, CVE-2014-3338, VIGILANCE-VUL-15149.

Description of the vulnerability 

The Cisco Unified Communications Manager product include a component named CTIManager.

This product may use Kerberos for its SSO functionality. However, the content of Kerberos tickets is not properly parsed, this allow inserting commands in the ticket.

An attacker can therefore send illicit Kerberos tickets to CTIManager of Cisco Unified Communications Manager, in order to run arbitrary commands.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as Cisco CUCM.

Our Vigil@nce team determined that the severity of this weakness is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

Cisco Unified Communications Manager: solution CSCum95491.
The solution CSCum95491 is available:
  https://tools.cisco.com/bugsearch/bug/CSCum95491
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a system vulnerability watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.