Cisco recently patched a critical-severity SQL injection vulnerability that could give an unauthenticated, remote attacker “full control” of a vulnerable Unified Communications Manager (UCM) system.
The security issue, tracked as CVE-2019-1843, was discovered by Cisco engineers in Cisco Unified Communications Manager, also known as CUCM and formerly known as CallManager. The vulnerability exists due to insufficient validation of user-supplied input in certain documented parameters of the system’s web-based management interface.
Successful exploitation of the flaw could allow an attacker to access the UCM’s underlying database, or execute arbitrary code with root privileges on the vulnerable system. An attacker could also conduct a SQL injection attack to bypass authentication, according to Cisco’s advisory.
The primary part of the software affected by the flaw is CUCM version 12.0. Cisco has released an update to address the vulnerability. The company said thatversion 11.5 of the software was also affected, however no updates were released as its end-of-life has passed and it is no longer supported.
Cisco also said that customers using versions 10.5 and earlier did not need to apply any updates as the vulnerable function was not included in their systems.
The IT giant is urging customers to update their systems with software releases that contain a fix for this vulnerability. System administrators are also recommended to take measures to mitigate the risk of attack by changing the administrative interface’s port number, and using encrypted connection protocols.
Cisco has also released an advisory containing detailed directions to help customers in securing their networks, as well as other best practices for reducing risk. The company also warns them not to include confidential information on the web interface.
This Cyber News was published on www.securityweek.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000