Cisco Closes Backdoor In Unified Communications Manager

Cisco has warned of three flaws in its unified communications services that could allow a remote attacker to gain complete administrative control of a system and access and modify personal user information.

The vulnerabilities impact both the platform and application software for the Cisco Unified Communications Domain Manager (Unified CDM), which controls and manages unified communication deployments as well as associated phones and clients.

The most serious bug affects the platform software with Cisco warning that if exploited, could “allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.”

Cisco unified communications security

“The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system. An attacker could exploit this vulnerability by obtaining the SSH private key. For example, the attacker might reverse engineer the binary file of the operating system,” it continues. “This will allow the attacker to connect by using the support account to the system without requiring any form of authentication.”

Cisco has advised customers to download a software update which corrects the flaw, while it has also released a patch for a separate vulnerability affecting the Unified CDM application software which could allow a remote attacker to elevate their privileges and gain administrative access to an affected system through the use of a malicious link.

The problem has been attributed to the improper implementation of authentication and authorisation controls of the administration GUI.

Cisco says the same problem is the cause of another flaw relating to the application software that could allow an unauthorised user to access and change settings relating to phone directories, speed dials, single number reach and call forwarding, however there is no update as yet for this particular vulnerability.

Do you know all about Cisco? Take our quiz.

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago