Hardcoded SSH Key Enables Backdoor in Cisco`s Unified Communication Domain Manager

A hardcoded and unprotected SSH key for remote support access has been found inside Cisco`s Unified Domain Communication Manager (CUCDM), according to a Cisco advisory. The backdoor could be used by an attacker to control the platform and all deployments.

The CUCDM manages video, voice, messaging, mobility and instant messaging applications, or other services for enterprise in a single unified platform. Cisco advised of three major vulnerabilities, including privilege escalation and unauthorized data manipulation.

The SSH key vulnerability is due to poor implementation of the support framework in the CUCDM Platform Software, as it allows a potential attacker to gain full system privileges as root user.

“The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system,” the advisory said.

The second vulnerability, of privilege escalation, is located in the web framework of the CUCDM application software and can allow an attacker to gain system administrator rights.

“The vulnerability is due to improper implementation of authentication and authorization controls of the Administration GUI.”

The exploit can be easily done via a crafted URL to change user administrative credentials, as the attacker needs to persuade a valid Admin GUI user to access a malicious link or just be authenticated in the system.

The third vulnerability deals with unauthorized data manipulation in the CUCDM`s BVSMWeb that could allow an attacker to perform remote access to the BVSMWeb portal, and tamper with user data, such as speed dials, call forward settings, personal phone directory settings or Single Number Reach.

The exploit is doable by sending to the affected system a crafted URL, as the vulnerability is “due to improper implementation of authentication and authorization controls when accessing some web pages of the BVSMWeb portal.”

A CUCDM update has been released by Cisco to fix the backdoor and the other privilege escalation vulnerability. A mitigation solution has also been provided for the unauthorized data manipulation vulnerability, as it could not be fixed.