Sign-up

ID

VAR-200707-0338


CVE

CVE-2006-5277


TITLE

CUCM of CTL Provider Vulnerability in arbitrary code execution in service

Trust: 0.8

sources: JVNDB: JVNDB-2007-001224

DESCRIPTION

Off-by-one error in the Certificate Trust List (CTL) Provider service (CTLProvider.exe) in Cisco Unified Communications Manager (CUCM, formerly CallManager) before 20070711 allow remote attackers to execute arbitrary code via a crafted packet that triggers a heap-based buffer overflow. Cisco Unified Communications Manager is prone to multiple heap-based buffer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit these issues to execute arbitrary code within the context of the vulnerable application. Successful exploits may result in a complete compromise of affected servers. Failed exploit attempts will likely result in denial-of-service conditions. A single-byte overflow vulnerability exists in the CTLProvider.exe and RisDC.exe service components of CUCM, which could be exploited by a remote attacker to render the device unusable or take control of the affected system. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Two Vulnerabilities SECUNIA ADVISORY ID: SA26043 VERIFY ADVISORY: http://secunia.com/advisories/26043/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/12535/ Cisco Unified CallManager 4.x http://secunia.com/product/12534/ Cisco Unified CallManager 3.x http://secunia.com/product/2805/ Cisco Unified Communications Manager 5.x http://secunia.com/product/11019/ Cisco Unified Communications Manager 4.x http://secunia.com/product/5363/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified Communications Manager (CUCM), which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Note: This vulnerability does not affect CUCM 3.x. 2) An integer overflow error in the Real-Time Information Server (RIS) Data Collector service (RisDC.exe) can be exploited to cause a heap-based buffer overflow by sending specially crafted packets to the vulnerable service (default port 2556/TCP). Successful exploitation may allow execution of arbitrary code. SOLUTION: Apply updated versions: Vulnerability #1 is corrected in CUCM versions 4.1(3)SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2). Vulnerability #2 is corrected in CUCM versions 3.3(5)SR2b, 4.1(3)SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2). See vendor advisory for a detailed patch matrix. PROVIDED AND/OR DISCOVERED BY: IBM Internet Security Systems X-Force ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml IBM Internet Security Systems: 1) http://www.iss.net/threats/270.html 2) http://www.iss.net/threats/271.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2006-5277 // JVNDB: JVNDB-2007-001224 // BID: 24868 // VULHUB: VHN-21385 // PACKETSTORM: 57691

AFFECTED PRODUCTS

vendor:ciscomodel:unified callmanagerscope:eqversion:5.0

Trust: 1.9

vendor:ciscomodel:unified communications managerscope:lteversion:4.3\(1\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:4.3

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:lteversion:4.1\(3\)sr4

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:lteversion:4.2\(3\)sr1

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:gteversion:4.2

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:gteversion:3.3

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:gteversion:4.1

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:lteversion:3.3\(5\)sr2

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:5.1

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:lteversion:5.1\(1\)

Trust: 1.0

vendor:ciscomodel:unified callmanagerscope:eqversion:4.2

Trust: 0.9

vendor:ciscomodel:unified callmanagerscope:ltversion:200707111

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:ltversion:200707111

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:eqversion:4.3

Trust: 0.6

vendor:ciscomodel:unified callmanagerscope:eqversion:4.2\(3\)sr1

Trust: 0.6

vendor:ciscomodel:unified communications managerscope:eqversion:5.1\(1\)

Trust: 0.6

vendor:ciscomodel:unified communications managerscope:eqversion:5.1

Trust: 0.6

vendor:ciscomodel:unified callmanagerscope:eqversion:4.1\(3\)sr4

Trust: 0.6

vendor:ciscomodel:unified communications managerscope:eqversion:4.3\(1\)

Trust: 0.6

vendor:ciscomodel:unified callmanagerscope:eqversion:3.3\(5\)sr2

Trust: 0.6

vendor:ciscomodel:unified communications managerscope:eqversion:5.1(2)

Trust: 0.3

vendor:ciscomodel:unified communications managerscope:eqversion:5.1(1)

Trust: 0.3

vendor:ciscomodel:unified communications manager 4.2 sr2scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:5.1

Trust: 0.3

vendor:ciscomodel:unified callmanager 5.0 su1scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:5.0(4)

Trust: 0.3

vendor:ciscomodel:unified callmanager 5.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:5.0(3)

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:5.0(2)

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:5.0(1)

Trust: 0.3

vendor:ciscomodel:unified callmanager 4.3 sr1scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanager 4.2 sr1scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanager 4.1 sr5scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanager 4.1 sr4scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:unified callmanager 3.3 sr2ascope: - version: -

Trust: 0.3

vendor:ciscomodel:unified callmanagerscope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call manager sr2scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager sr1scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es32scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es24scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es07scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es55scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es50scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager es33scope:eqversion:4.1

Trust: 0.3

vendor:ciscomodel:call manager sr2cscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call manager sr2bscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call manager es62scope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call manager es56scope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call manager es40scope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:call manager sr1ascope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call manager es30scope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call manager es24scope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.3(5)

Trust: 0.3

vendor:ciscomodel:call manager es25scope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call manager es61scope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.3(3)

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:4.3(1)

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:4.2(3)

Trust: 0.3

vendor:ciscomodel:call manager 4.1 sr4scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified communications manager 5.1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:unified communications manager 4.3 sr.1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:unified communications manager sr2bscope:neversion:4.2

Trust: 0.3

vendor:ciscomodel:unified callmanager sr5bscope:neversion:4.1

Trust: 0.3

vendor:ciscomodel:unified callmanager 3.3 sr3scope:neversion: -

Trust: 0.3

sources: BID: 24868 // JVNDB: JVNDB-2007-001224 // CNNVD: CNNVD-200707-271 // NVD: CVE-2006-5277

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-5277
value: HIGH

Trust: 1.0

NVD: CVE-2006-5277
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200707-271
value: CRITICAL

Trust: 0.6

VULHUB: VHN-21385
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2006-5277
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-21385
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-21385 // JVNDB: JVNDB-2007-001224 // CNNVD: CNNVD-200707-271 // NVD: CVE-2006-5277

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-5277

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200707-271

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200707-271

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001224

PATCH
title:cisco-sa-20070711-cucmurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070711-cucm
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001224

EXTERNAL IDS
db:NVDid:CVE-2006-5277
Trust: 2.8
db:BIDid:24868
Trust: 2.0
db:SECUNIAid:26043
Trust: 1.8
db:OSVDBid:36122
Trust: 1.7
db:VUPENid:ADV-2007-2512
Trust: 1.7
db:SECTRACKid:1018369
Trust: 1.7
db:JVNDBid:JVNDB-2007-001224
Trust: 0.8
db:CNNVDid:CNNVD-200707-271
Trust: 0.7
db:ISSid:20070711 CISCO CALL MANAGER CTLPROVIDER.EXE REMOTE CODE EXECUTION
Trust: 0.6
db:CISCOid:20070711 CISCO UNIFIED COMMUNICATIONS MANAGER OVERFLOW VULNERABILITIES
Trust: 0.6
db:XFid:31437
Trust: 0.6
db:VULHUBid:VHN-21385
Trust: 0.1
db:PACKETSTORMid:57691
Trust: 0.1
sources:
            
            
            VULHUB: VHN-21385 // 
            
            
            
            BID: 24868 // 
            
            
            
            JVNDB: JVNDB-2007-001224 // 
            
            
            
            PACKETSTORM: 57691 // 
            
            
            
            CNNVD: CNNVD-200707-271 // 
            
            
            
            NVD: CVE-2006-5277

REFERENCES
url:http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml
Trust: 2.1
url:http://www.iss.net/threats/270.html
Trust: 1.8
url:http://www.securityfocus.com/bid/24868
Trust: 1.7
url:http://www.osvdb.org/36122
Trust: 1.7
url:http://securitytracker.com/id?1018369
Trust: 1.7
url:http://secunia.com/advisories/26043
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/2512
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/31437
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5277
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-5277
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/31437
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2007/2512
Trust: 0.6
url:http://www.cisco.com/en/us/products/sw/voicesw/ps556/index.html
Trust: 0.3
url:http://secunia.com/product/2805/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/network_software_inspector/
Trust: 0.1
url:http://secunia.com/product/12534/
Trust: 0.1
url:http://secunia.com/product/12535/
Trust: 0.1
url:http://secunia.com/product/5363/
Trust: 0.1
url:http://secunia.com/product/11019/
Trust: 0.1
url:http://secunia.com/advisories/26043/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://www.iss.net/threats/271.html
Trust: 0.1
sources:
            
            
            VULHUB: VHN-21385 // 
            
            
            
            BID: 24868 // 
            
            
            
            JVNDB: JVNDB-2007-001224 // 
            
            
            
            PACKETSTORM: 57691 // 
            
            
            
            CNNVD: CNNVD-200707-271 // 
            
            
            
            NVD: CVE-2006-5277

CREDITS
IBM ISS X-Force
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200707-271

SOURCES
db:VULHUBid:VHN-21385
db:BIDid:24868
db:JVNDBid:JVNDB-2007-001224
db:PACKETSTORMid:57691
db:CNNVDid:CNNVD-200707-271
db:NVDid:CVE-2006-5277

LAST UPDATE DATE
2024-11-23T22:43:21.477000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-21385date:2018-10-17T00:00:00
db:BIDid:24868date:2016-07-05T21:38:00
db:JVNDBid:JVNDB-2007-001224date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200707-271date:2007-07-18T00:00:00
db:NVDid:CVE-2006-5277date:2024-11-21T00:18:34.923

SOURCES RELEASE DATE
db:VULHUBid:VHN-21385date:2007-07-15T00:00:00
db:BIDid:24868date:2007-07-11T00:00:00
db:JVNDBid:JVNDB-2007-001224date:2012-06-26T00:00:00
db:PACKETSTORMid:57691date:2007-07-13T00:55:11
db:CNNVDid:CNNVD-200707-271date:2007-07-15T00:00:00
db:NVDid:CVE-2006-5277date:2007-07-15T21:30:00