Working as a security consultant is very rewarding. Businesses rely on us to see their environment from an attacker’s perspective and find vulnerabilities that could allow threats to succeed. One of the most impactful parts of our role is when we are the first to find a major vulnerability that could lead to widespread compromise beyond our client.
This is what happened this year with the Cisco Unified Communications Manager (CUCM) Instant Messaging and Presence Appliance. We performed an app penetration test against this for one of our clients. In doing so, we discovered an opening that could affect anyone using this device. Read on to find out how we explored the product, how we broke it, and how to put it back together.
What is the CUCM product?
The CUCM solution is a middleware component that allows companies to integrate their various communication devices and manage them using a single platform. In short, it unifies voice, video, data and mobile applications on fixed and mobile networks. Starting with Cisco Unified Communications 9.0, Cisco Unified Presence technology is integrated into the CUCM. Nowadays, most people call this solution the CUCM IM & Presence service. Almost all customers who use the Cisco Jabber instant messaging application have the CUCM IM & Presence deployment.
In the pen test, we first tried to use as few privileges as possible to identify vulnerabilities that less trusted users can reach. Next, we created a replica of the appliance in a lab environment. Using several reverse engineering techniques, we extracted the source code for the web application used to manage the appliance.
Through dynamic testing and analysis of the source code, we found the following vulnerabilities:
- 3 x SQL injection (Structured Query Language) (CVE-2021-1355, CVE-2021-1364, CVE-2021-1282)
- SQL injection leads to execution of arbitrary code (CVE-2021-1363, CVE-2021-1365)
- Path crossing (CVE-2021-1357)
- Cross-site scripts (CVE-2021-1407, CVE-2021-1408)
The main goal was to find vulnerabilities that attackers could exploit to elevate their privileges on the appliance. Initially, our team successfully identified several SQL injection vulnerabilities, but the application had a protection module that filtered user input. While inspecting this module, we found a weakness in the module logic that we used to bypass it. This allowed the exploitation of three SQL injection vulnerabilities. An attacker could use this to extract sensitive information from the application database, including the hash of the administrator password.
One of the SQL injections was chained with another vulnerability (an operating system command injection vulnerability) to allow execution of arbitrary code on the appliance. The chain attack could allow an attacker with low privileges on the appliance to elevate his privileges to root shell access. At this point, the attacker could have full control of the appliance and the access could be used to move sideways inside the internal network and attack internal assets and other users.
We also discovered a local file read vulnerability in one of the application endpoints. This could allow an attacker to read any locally accessible file on the web server through the vulnerable endpoint.
Finally, we discovered a way to bypass and evade application security controls to exploit multiple cross-site scripting issues reflected on multiple endpoints. An attacker could exploit this vulnerability by constructing a request with a malicious payload injected into the vulnerable settings and trick logged-in users into visiting it.
The malicious payload injected by the attacker is executed in the victim’s browser, in the context of that victim’s session. The malicious application allows the attacker to hijack the user session and redirect the victim to a domain controlled by the attacker or other client-side attack. This could be typing in the browser or performing arbitrary actions in the context of the application.
We also discovered the disclosure of sensitive information in one of the app endpoints. This could allow an authenticated attacker to disclose users’ hashed passwords, which could then be recovered using a dictionary attack.
Move laterally in the company
Due to these vulnerabilities, a low privileged user could elevate their privileges to the highest level on the CUCM appliance. From there, they could access sensitive data, manipulate sensitive configurations, and install malware on the appliance that monitors and records communication between Cisco Jabber users. An attacker could hijack logged in user sessions or trick users into stealing their credentials. Additionally, since the application allows code execution, an attacker could use it as an anchor point within the network from which to move sideways.
The next steps: reducing the risk of compromise
So what should you do about it? We recommend that you install the latest patch for Cisco Unified Communications products listed in the Cisco Security Advisories. The fixes for CUCM and CUCM IM & Presence are shown in the graphics below. Links to the reviews can be found in the References section.
An ongoing penetration testing program can also help discover and remediate these types of vulnerabilities. Learn more about X-Force Red’s penetration testing services here.
On July 21, 2021, X-Force Red will host a virtual panel session on threats and vulnerabilities exposing Internet of Things (IoT) devices. Presenters will include IoT industry leaders such as the ioXt Alliance and Silicon Labs.
The CUCM IM & Presence SQL injection vulnerability leads to the execution of arbitrary code:
The CUCM IM & Presence SQL injection vulnerability leads to local file disclosure and path traversal vulnerabilities:
The CUCM cross-site scripting vulnerability leads to an attack on other appliance users: