AUSCERT External Security Bulletin Redistribution

                 ESB-2004.0059 -- Cisco Security Advisory
               Voice Product Vulnerabilities on IBM Servers
                              22 January 2004


        AusCERT Security Bulletin Summary

Product:                Cisco CallManager
                        Cisco IP Interactive Voice Response (IP IVR)
                        Cisco IP Call Center Express (IPCC Express)
                        Cisco Personal Assistant (PA)
                        Cisco Emergency Responder (CER)
                        Cisco Conference Connection (CCC)
                        Cisco Internet Service Node (ISN)
Publisher:              Cisco Systems
Operating System:       IBM server prior to OS 2000.2.6
Platform:               IBM X330 (8654 or 8674)
                        IBM X340
                        IBM X342
                        IBM X345
Impact:                 Administrator Compromise
                        Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers

Revision 1.0 - FINAL

For Public Release 2004 January 21 UTC 1700 (GMT)



Affected Products
Software Versions and Fixes
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: FINAL
Revision History
Cisco Security Procedures



The default installation of Cisco voice products on the IBM platform
will install the Director Agent in an unsecure state, leaving the
Director services vulnerable to remote administration control and/or
Denial of Service attacks. The vulnerabilities can be mitigated by
configuration changes and Cisco is providing a repair script that will
close the vulnerable ports and put the Director agent in secure state
without requiring an upgrade.

This advisory will be available at

Affected Products

Cisco voice products running on IBM servers installed with the default
configurations are affected if they leave TCP or UDP port 14247 open. To
verify this vulnerability, the administrator may open a command window
on the server and type netstat -a. If port 14247 is listed, the server
is vulnerable to remote administrative control and Denial of Service

Affected Cisco voice products:

   *   Cisco CallManager

   *   Cisco IP Interactive Voice Response (IP IVR)

   *   Cisco IP Call Center Express (IPCC Express)

   *   Cisco Personal Assistant (PA)

   *   Cisco Emergency Responder (CER)

   *   Cisco Conference Connection (CCC)

   *   Cisco Internet Service Node (ISN) running on an IBM with an
       affected OS version.

Affected IBM-based server model numbers:

   *   IBM X330 (8654 or 8674)

   *   IBM X340

   *   IBM X342

   *   IBM X345

   *   MCS-7815-1000

   *   MCS-7815I-2.0

   *   MCS-7835I-2.4

   *   MCS-7835I-3.0

Affected OS Versions:

   *   All operating system (OS) versions running on an IBM server prior 
       to OS 2000.2.6, which has not yet been released as of the date of 
       this notice.


The default installations of Cisco voice products on IBM servers will
install IBM Director in unsecure state leaving TCP and UDP ports 14247
open. Any Director Server/Console agent can connect over port 14247 to
gain administrative level control without requiring authentication.
Also, a network security scanner scanning port 14247 can trigger the IBM
Director agent process twgipc.exe to use 100% of the CPU until the
server is rebooted. These vulnerabilities are documented in the two
Cisco bug IDs:

   *   CSCed33037 - IBM Director agents default install allows remote

   *   CSCed23357 - IBM servers with Director agent 2.2 or 3.11 are
       vulnerable to a DoS.


A Cisco voice server with the IBM Director agent in unsecure state is
susceptible to administrative level control and Denial of Service attacks.

Administrative level control includes the following functionality:
shutdown/power off/restart, remote command shell, file transfer,
processes/services/device drivers stop and start, network configuration
modification (including domain/workgroup membership), Windows 2000 user
account creation, and SNMP configuration modification.

In a Denial of Service attack, an attacker can render the Cisco voice
server inoperative with CPU utilization spiking to 100%, and the IBM
server must be powered off or rebooted in order to regain control of the

Software Versions and Fixes

The vulnerabilities are specific to Cisco voice products on IBM servers
and all vulnerabilities listed in this advisory can be mitigated with
the repair script without requiring an upgrade.

The repair script is available at:


Obtaining Fixed Software

As the mitigation for the vulnerabilities is a repair script, a software
upgrade is not required to address the vulnerabilities. However, if you
have a service contract, and wish to upgrade to unaffected code, you may
obtain upgraded software through your regular update channels once that
software is available. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

   *   +1 800 553 2447 (toll free from within North America)

   *   +1 408 526 7209 (toll call from anywhere in the world)

   *   e-mail: tac@cisco.com <mailto:tac@cisco.com>

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.


Cisco's repair script adds 3 levels of improved security to the Director

   1. The Director agent no longer listens on TCP or UDP ports 14247 for
      remote connections from a Director Server. This change prevents
      the Denial of Service attacks described in the Impact section.

   2. The repair script secures the Director agent such that even if
      port 14247 is reenabled, the Director agent still would not accept
      connections from any Director Server.

   3. The Director Agent executable files which are not necessary to the
      functioning of the program, yet provide high levels of access or
      control, are completely disabled by this repair script.

Note: If you are using IBM Director Server and Console to monitor the
Cisco voice products, this repair script will disable the connection to
those IBM servers. The Director agents will still provide pop-up
warnings and Event Viewer messages in version 3.11, and SNMP traps to
network management software like CiscoWorks IP Telephony Monitor. To
regain IBM Director Server monitoring capabilities, IBM Director agent
4.11 will be released in OS Upgrade 2000.2.6 and support can be
re-enabled for Director Server after the upgrade to OS version 2000.2.6.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

Status of This Notice: FINAL

This is a FINAL notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions
of this advisory unless there is some material change in the facts.
Should there be a significant change in the facts, Cisco will update
this advisory.


This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml. In
addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:

   *   cust-security-announce@cisco.com
   *   first-teams@first.org (includes CERT/CC)
   *   bugtraq@securityfocus.com
   *   full-disclosure@lists.netsys.com
   *   vulnwatch@vulnwatch.org
   *   cisco@spot.colorado.edu
   *   cisco-nsp@puck.nether.net
   *   comp.dcom.sys.cisco
   *   Various internal Cisco mailing lists

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History

Revision 1.0    2004-January-21    Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at


All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
reserved. Important Notices <http://www.cisco.com/public/copyright.html>
and Privacy Statement <http://www.cisco.com/public/privacy.html>.

Version: PGP 7.0.1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967