Cisco Swats Critical CallManager Bug
Switching and routing giant Cisco has shipped a high-priority update to fix a critical flaw affecting its CallManager software product.
The bug, discovered and reported by researchers at TippingPoint's DVLabs, could allow remote attackers to execute arbitrary code on vulnerable installations of Cisco CallManager.
Authentication is not required to exploit this vulnerability, TippingPoint warned in an alert.
The specific flaw exists within the CTL Provider Service, CTLProvider.exe, which binds to TCP port 2444. The service operates over a SSL encrypted transport. Due to a logic flaw in the way data is received in a loop a heap allocation can be arbitrarily overflown, resulting in the control of subsequent heap chunks. This can lead to arbitrary code execution.
Symantec's Deepsight spells out potential attack scenarios:
1. An attacker locates computer hosting the vulnerable application.
2. The attacker constructs and submits malicious data sufficient to trigger this issue. The data will consist of attacker-supplied values for allocating memory, malicious code, replace memory address and possibly NOP instructions.
3. When the application processes the data, attacker-supplied code will execute, completely compromising the affected computer. Failed exploit attempts will likely crash the computer, denying service to legitimate users.
Cisco has confirmed the code execution severity of this bug, noting that it carries a CVSS Base Score of 10.0, the highest score possible.