Cisco Unified Communications Manager Web Framework HTTP Requests sql injection

Summaryinfo

A vulnerability, which was classified as critical, has been found in Cisco Unified Communications Manager. Affected by this vulnerability is an unknown functionality of the component Web Framework. This manipulation as part of HTTP Requests causes sql injection. This vulnerability is handled as CVE-2018-0120. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability has been found in Cisco Unified Communications Manager (Unified Communication Software) (affected version unknown) and classified as critical. Affected by this vulnerability is an unknown functionality of the component Web Framework. The manipulation as part of a HTTP Requests leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct an SQL injection attack against an affected system. The vulnerability exists because the affected software fails to validate user-supplied input in certain SQL queries that bypass protection filters. An attacker could exploit this vulnerability by submitting crafted HTTP requests that contain malicious SQL statements to an affected system. A successful exploit could allow the attacker to determine the presence of certain values in the database of the affected system. Cisco Bug IDs: CSCvg74810.

The bug was discovered 02/07/2018. The weakness was released 02/08/2018 with Cisco as cisco-sa-20180207-cucm as confirmed advisory (Website). The advisory is shared at tools.cisco.com. This vulnerability is known as CVE-2018-0120 since 11/27/2017. The exploitation appears to be easy. The attack can be launched remotely. The successful exploitation needs a single authentication. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 02/02/2021). MITRE ATT&CK project uses the attack technique T1505 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 316192 (Cisco Unified Communications Manager SQL Injection Vulnerability(cisco-sa-20180207-cucm)).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 102958†). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Unified Communication Software

Vendor

• Cisco

Name

• Unified Communications Manager

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion