Sign-up

ID

VAR-200605-0543


CVE

CVE-2006-2166


TITLE

Cisco Unity Express User Authentication Local privilege escalation vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200605-076

DESCRIPTION

Unspecified vulnerability in the HTTP management interface in Cisco Unity Express (CUE) 2.2(2) and earlier, when running on any CUE Advanced Integration Module (AIM) or Network Module (NM), allows remote authenticated attackers to reset the password for any user with an expired password. Cisco Unity Express (CUE) is prone to a privilege-escalation vulnerability. An attacker could reset the password of a privileged account that has an expired password. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. There is a loophole in Cisco Unity's handling of user authentication. Local attackers may use this loophole to elevate their privileges. Cisco Unity has a problem with the authentication process of the HTTP-based management interface. If the target user is an administrator, then An attacker could gain administrator privileges on the device. TITLE: Cisco Unity Express Expired Password Change Vulnerability SECUNIA ADVISORY ID: SA19881 VERIFY ADVISORY: http://secunia.com/advisories/19881/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data WHERE: >From local network SOFTWARE: Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in Cisco Unity Express (CUE), which can be exploited by malicious users to manipulate certain information. The vulnerability is caused due to missing restrictions in the HTTP management interface during password changes. This makes it possible for an authenticated user to change the password for another user with an expired password (including newly created users with blank/randomly selected passwords). Successful exploitation may e.g. grant administrative privileges on a CUE module, if the changed expired password belongs to an administrative user. SOLUTION: Update to version 2.3(1) or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/cue-231?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: The vendor credits Xu He and Keith Vaughan, Bank of America Application Assessment Team. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060501-cue.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2006-2166 // BID: 17775 // VULHUB: VHN-18274 // PACKETSTORM: 46024

AFFECTED PRODUCTS

vendor:ciscomodel:unity express softwarescope:eqversion:1.1.1

Trust: 1.6

vendor:ciscomodel:unity express softwarescope:eqversion:2.2.2

Trust: 1.6

vendor:ciscomodel:unity express softwarescope:eqversion:2.1.1

Trust: 1.6

vendor:ciscomodel:unity expressscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:unity expressscope: - version: -

Trust: 0.9

vendor:ciscomodel:unity expressscope:eqversion:1.1.1

Trust: 0.6

vendor:ciscomodel:unity expressscope:eqversion:2.2.2

Trust: 0.6

vendor:ciscomodel:unity expressscope:eqversion:2.1.1

Trust: 0.6

vendor:ciscomodel:unity expressscope:eqversion:2.2(2)

Trust: 0.3

vendor:ciscomodel:unity expressscope:eqversion:2.1(1)

Trust: 0.3

vendor:ciscomodel:unity expressscope:eqversion:1.1(1)

Trust: 0.3

vendor:ciscomodel:unity expressscope:neversion:2.3(1)

Trust: 0.3

sources: BID: 17775 // CNNVD: CNNVD-200605-076 // NVD: CVE-2006-2166

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-2166
value: LOW

Trust: 1.0

CNNVD: CNNVD-200605-076
value: LOW

Trust: 0.6

VULHUB: VHN-18274
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2006-2166
severity: LOW
baseScore: 2.1
vectorString: AV:N/AC:H/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-18274
severity: LOW
baseScore: 2.1
vectorString: AV:N/AC:H/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-18274 // CNNVD: CNNVD-200605-076 // NVD: CVE-2006-2166

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-2166

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200605-076

TYPE

access verification error

Trust: 0.6

sources: CNNVD: CNNVD-200605-076

EXTERNAL IDS

db:BIDid:17775

Trust: 2.0

db:SECUNIAid:19881

Trust: 1.8

db:VUPENid:ADV-2006-1613

Trust: 1.7

db:OSVDBid:25165

Trust: 1.7

db:SECTRACKid:1016015

Trust: 1.7

db:NVDid:CVE-2006-2166

Trust: 1.7

db:CNNVDid:CNNVD-200605-076

Trust: 0.7

db:CISCOid:20060501 CISCO UNITY EXPRESS EXPIRED PASSWORD RESET PRIVILEGE ESCALATION

Trust: 0.6

db:XFid:26165

Trust: 0.6

db:VULHUBid:VHN-18274

Trust: 0.1

db:PACKETSTORMid:46024

Trust: 0.1

sources: VULHUB: VHN-18274 // BID: 17775 // PACKETSTORM: 46024 // CNNVD: CNNVD-200605-076 // NVD: CVE-2006-2166

REFERENCES

url:http://www.cisco.com/warp/public/707/cisco-sa-20060501-cue.shtml

Trust: 2.1

url:http://www.securityfocus.com/bid/17775

Trust: 1.7

url:http://www.osvdb.org/25165

Trust: 1.7

url:http://securitytracker.com/id?1016015

Trust: 1.7

url:http://secunia.com/advisories/19881

Trust: 1.7

url:http://www.vupen.com/english/advisories/2006/1613

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/26165

Trust: 1.1

url:http://www.frsirt.com/english/advisories/2006/1613

Trust: 0.6

url:http://xforce.iss.net/xforce/xfdb/26165

Trust: 0.6

url:http://www.cisco.com/en/us/products/sw/voicesw/ps5520/index.html

Trust: 0.3

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/advisories/19881/

Trust: 0.1

url:http://secunia.com/product/5151/

Trust: 0.1

url:http://www.cisco.com/pcgi-bin/tablebuild.pl/cue-231?psrtdcat20e2

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

sources: VULHUB: VHN-18274 // BID: 17775 // PACKETSTORM: 46024 // CNNVD: CNNVD-200605-076 // NVD: CVE-2006-2166

CREDITS

Discovered by Xu He and Keith Vaughan of the Bank of America Application Assessment Team.

Trust: 0.3

sources: BID: 17775

SOURCES

db:VULHUBid:VHN-18274
db:BIDid:17775
db:PACKETSTORMid:46024
db:CNNVDid:CNNVD-200605-076
db:NVDid:CVE-2006-2166

LAST UPDATE DATE

2024-08-14T15:31:03.206000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-18274date:2018-10-30T00:00:00
db:BIDid:17775date:2006-05-02T23:05:00
db:CNNVDid:CNNVD-200605-076date:2006-05-23T00:00:00
db:NVDid:CVE-2006-2166date:2018-10-30T16:25:29.480

SOURCES RELEASE DATE

db:VULHUBid:VHN-18274date:2006-05-04T00:00:00
db:BIDid:17775date:2006-05-02T00:00:00
db:PACKETSTORMid:46024date:2006-05-03T04:53:11
db:CNNVDid:CNNVD-200605-076date:2006-05-04T00:00:00
db:NVDid:CVE-2006-2166date:2006-05-04T12:38:00