---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager IP Phone PAB Information Disclosure SECUNIA ADVISORY ID: SA34238 VERIFY ADVISORY: http://secunia.com/advisories/34238/ DESCRIPTION: A vulnerability has been reported in Cisco Unified Communications Manager, which can be exploited by malicious users to disclose sensitive information. The vulnerability is caused due to a design error in the Cisco IP Phone Personal Address Book (PAB) Synchronizer feature. The problem is that Cisco Unified Communications Manager returns user credentials for the Cisco Unified Communications Manager directory service in plain text after an IP Phone PAB Synchronizer client has successfully authenticated. This can be exploited to access the directory service and potentially gain administrative privileges. The vulnerability is reported in the following products and versions: * Cisco Unified CallManager 4.1 versions * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e) * Cisco Unified Communications Manager 6.x versions prior to 6.1(3) * Cisco Unified Communications Manager 7.0 versions prior to 7.0(2) SOLUTION: Cisco Unified Communications Manager software version 4.2 / Unified CallManager software version 4.1: Update to version 4.2:(3)SR4b. Cisco Unified Communications Manager software version 4.3: Update to version 4.3(2)SR1b. Cisco Unified Communications Manager software version 5.1: Update to version 5.1(3e). Cisco Unified Communications Manager software version 6.1: Update to version 6.1(3). Cisco Unified Communications Manager software version 7.0: Update to version 7.0(2). PROVIDED AND/OR DISCOVERED BY: The vendor credits Olivier Grosjeanne of Dimension Data France and Oliver Dewdney of LBI. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml OTHER REFERENCES: Cisco Applied Mitigation Bulletin: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a86434.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------