Default SSH Private Key Exposes Cisco’s VoIP Manager to Remote Attack

Multiple Vulnerabilities Found in Cisco’s VoIP Manager

Cisco’s enterprise call and session management platform Cisco Unified Communications Domain Manager (Unified CDM) is plagued by three vulnerabilities, the company announced on Wednesday.

The first vulnerability (CVE-2014-2198), could be exploited by an unauthenticated, remote attacker to connect to the affected system with root privileges, Cisco warned. The cause is a flaw in the implementation of the framework that’s used by Cisco support representatives to access the platform software. More precisely, a default SSH private key that’s stored on the system in an insecure way could be obtained by an attacker by reverse engineering the binary file of the operating system, Cisco said in its advisory.

“Having the same key on all systems is mistake number one, but wouldn’t be fatal if the secret key would have been tugged away in Cisco’s special safedeposit box. Instead, they left the secret key on customer systems as well. So in other words: If you own one of the systems, you got the key to access all of them,” said Johannes Ullrich, the dean of research for the SANS Technology Institute. “Filtering SSH access to the device at your border is a good first step to protect yourself if you can’t patch right away.”

The second vulnerability (CVE-2014-2197) affecting Cisco Unified CDM is a privilege escalation flaw in the product’s web framework. According to Cisco, the weakness is caused by improper implementation of authentication and authorization controls in the administration graphical user interface (GUI).

“An attacker could exploit this vulnerability by submitting a crafted URL to change the administrative credentials of a user. The attacker needs to be authenticated to the system or convince a valid user of the Administration GUI to click a malicious link,” Cisco explained.

An unauthorized data manipulation vulnerability affecting the Cisco Unified CDM BVSMWeb portal (CVE-2014-3300) has also been found. The bug can be leveraged by a remote, unauthenticated attacker to access and change user information in the BVSMWeb portal, including settings in the personal phone directory, call forward settings, speed dials, and the Single Number Reach feature.
 
“The vulnerability is due to improper implementation of authentication and authorization controls when accessing some web pages of the BVSMWeb portal. An attacker could exploit this vulnerability by submitting a crafted URL to the affected system,” Cisco said.

Cisco released patches for the default SSH key and privilege escalation vulnerabilities. While a permanent fix is being developed for the unauthorized data manipulation issue, the company advises customers to provide services via the Unified CDM and the Unified CDM Self-Care portal, instead of the Cisco Unified CDM BVSMWeb portal.

The United States Computer Emergency Readiness Team (US-CERT) has also published a short security advisory to warn organizations about these vulnerabilities.