Cisco Report Three Threats to its UCS Software
Near the middle of last week, Cisco announced that it had found three distinct threats to is unified communications services that could allow hackers to gain control of users' systems. Along with that announcement, it has posted fixes for the problems in a software application patch.
According to the report, the vulnerabilities affect the stability of Cisco's Unified Communications Domain Manager. The names of the vulnerabilities are as follows:
- Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability.
- Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
- Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability.
An exploitation of the first two security risks "may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system," Cisco says. Exploitation of the third "may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings."
Cisco's Unified Communications Manager is responsible for handling administrative functions with regard to Cisco Unity Connection, Cisco Jabber applications, and phones and soft clients integrated with such applications. As a result, it is possible that hackers could provide themselves with access to a number of hardware devices and the sofware that control those devices throughout entire enterprises.
Cisco says that there is no way of mitigating the vulnerabilities aside from using its software patch. As such, it urges users of its UCS software to immediately update their products. The updates contain fixes to the vulnerabilities it has listed, and the company says updates will only include feature sets for products businesses have previously purchased, so the updates will not include any additional features beyond their ability to fix the stated problems.