|Product||Cisco Unified Call Manager (UCM) Administrator Portal version 220.127.116.1100-11, other versions may be affected|
A SQL Injection vulnerability was discovered in the Cisco Unified Call Manager (UCM) administrator portal. An authenticated user can utilize this vulnerability to enumerate the entire database that is used by Cisco UCM. This includes any secrets, such as password hashes.
The SQL Injection issue was found in several areas of the application. Below is a URL that was used to discover the first injection point. The GET parameter "whereClause" contained the SQL Injection payload:
hLimVal3=&searchLimVal4=&whereClause=1=1 AND (select ascii(subs
tring(tabname from 1 for 1)) FROM systables where tabid = 1) >
The above SQL statement can be broken down into the following:
This SQL Injection was classified as a Blind Boolean injection, with server’s response size dependent on if the injected SQL statement returns a true or false response. By going through each letter, it is possible to enumerate the underlying tables, columns and entries.
The above SQL Injection point was discovered and verified with the tool SQLMap, and the backend database was confirmed to be Informix. After the initial discovery, several other injection points, undetectable by SQLMap, were manually discovered.
After the initial disclosure to Cisco, their internal team also verified additional SQL Injection points throughout the application.
As stated, SQLMap could be used to discover and verify the above Informix SQL Injection point. However, SQLMap could not be used to do the following:
F-Secure created some scripts that can be used to fully exploit this issue. It relies on the above SQL Injection point, but the scripts can be modified to work with any other SQL Injection point.
At the time of this advisory's posting, Cisco is working on releasing the following patches to the UCM application that will resolve this issue:
If upgrading UCM to the above versions is not possible, the following mitigations are recommended:
|2019-04-26||Issue reported to vendor|
|2019-05-07||Vendor responded, requested additional details|
|2019-05-07||Additional details sent|
|2019-05-22||Vendor responded, internal analysis still in progress|
|2019-06-11||Vendor responded, vulnerability confirmed in multiple versions of UCM|
|2019-06-14||Vendor responded, internal teams engaged to determine if other products are affected|
|2019-06-14||Informed vendor of client pre-release disclosure|
|2019-09-14||Vendor responded, approved of client pre-release disclosure|
|2019-09-25||F-Secure and vendor agree to a joint public disclosure date of 20 November|