In association with heise online

17 January 2008, 11:03

Heap overflow in Cisco Unified Communications Manager

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cisco has warned of a vulnerability in its Unified Communications Manager, also known as Call Manager, which manages calls in Cisco's IP telephony products. The vulnerability allows remote attackers to execute arbitrary code or initiate a denial of service attack. Authentication is not required to exploit this vulnerability.

The flaw exists within the Certificate Trust List Provider Service (CTLProvider.exe), which authenticates and distributes certificates. It normally binds to TCP port 2444 over an SSL encrypted transport. Due to a flaw in the way data is received in a loop, it can overflow its heap allocation allowing arbitrary code execution. No specific details of the flaw have been provided.

The problem affects Version 4.2 of Unified Communication Manager prior to 4.2(3)SR3 and Version 4.3 prior to 4.3(1)SR1, as well as Unified Call Manager 4.0 and 4.1 prior to 4.1(3)SR5c. Cisco has provided links to software updates in its security advisory. No update is available for Unified Call Manager 4.0 and Cisco recommends upgrading to Version 4.1. Administrators should apply these updates as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit