Original post: https://labs.f-secure.com/advisories/cisco-ucm-informix-sql-injection/

Product Cisco Unified Call Manager (UCM) Administrator Portal version 11.5.1.14900-11, other versions may be affected
Severity Medium
CVE Reference CVE-2019-15972
Type SQL Injection

Description

A SQL Injection vulnerability was discovered in the Cisco Unified Call Manager (UCM) administrator portal. An authenticated user can utilize this vulnerability to enumerate the entire database that is used by Cisco UCM. This includes any secrets, such as password hashes.

The SQL Injection issue was found in several areas of the application. Below is a URL that was used to discover the first injection point. The GET parameter whereClause contained the SQL Injection payload:

https://<cucm_admin_portal>/ccmadmin/userGroupFindList.do?searchLimVal3=&searchLimVal4=&whereClause=1=1 AND (select ascii(substring(tabname from 1 for 1)) FROM systables where tabid = 1) > 64&searchLimVal1=&searchLimVal2=&searchLimVal7=&searchLimVal8=&searchLimVal5=&search LimVal6=&rowsPerPageControl=/ccmadmin/userGroupFindList.do?lookup=true&colCnt=4&searchLimVal0=&lookup=true&rowsPerPage=50&searchLimVal9=&pageNumber=1&recCnt=37&multiple=true

The above SQL statement can be broken down into the following:

  • 1=1 AND - establishes a true statement and forces the underlying SQL query to include the proceeding SQL statement.
  • select asci(substring(tabname from 1 for 1)) FROM systables where tabid = 1 - In Informix SQL, all table names, called tabname, are kept in a table called systables and are assigned a unique ID value, tabid. This portion of the SQL statement looks for the first table name, looks at the first letter of the name and converts the value to the equivalent ASCII character value.
  • > 64 - evaluates if the ASCII character value generated from the preceding SQL statement is greater than 64.

This SQL Injection was classified as a Blind Boolean injection, with server’s response size dependent on if the injected SQL statement returns a true or false response. By going through each letter, it is possible to enumerate the underlying tables, columns and entries.

Multiple Injection Points

The above SQL Injection point was discovered and verified with the tool SQLMap, and the backend database was confirmed to be Informix. After the initial discovery, several other injection points, undetectable by SQLMap, were manually discovered.

After the initial disclosure to Cisco, their internal team also verified additional SQL Injection points throughout the application.

Custom Tool Exploitation

As stated, SQLMap could be used to discover and verify the above Informix SQL Injection point. However, SQLMap could not be used to do the following:

  • Extract contents of the underlying database
  • Discover or confirm any other SQL Injection point within the application

F-Secure created some scripts that can be used to fully exploit this issue. It relies on the above SQL Injection point, but the scripts can be modified to work with any other SQL Injection point.

Remediation and Mitigation

At the time of this advisory’s posting, Cisco is working on releasing the following patches to the UCM application that will resolve this issue:

  • UCM version 11.5.2SU7
  • UCM version 12.5.1SU2

If upgrading UCM to the above versions is not possible, the following mitigations are recommended:

Use UCM’s LDAP login feature to manage who can login into UCM

  • Audit the current list of users who can login into UCM
  • Monitor network traffic to/from the UCM application to see if this vulnerability is being exploited

Timeline

Date Summary
26/04/2019 Issue reported to vendor
07/05/2019 Vendor responded, requested additional details
07/05/2019 Additional details sent
22/05/2019 Vendor responded, internal analysis still in progress
11/06/2019 Vendor responded, vulnerability confirmed in multiple versions of UCM
14/06/2019 Vendor responded, internal teams engaged to determine if other products are affected
14/06/2019 Informed vendor of client pre-release disclosure
14/09/2019 Vendor responded, approved of client pre-release disclosure
25/09/2019 F-Secure and vendor agree to a joint public disclosure date of 20 November
20/11/2019 Public disclosure