Information Exposure Through Timing Discrepancy in Cisco Unified Communications Manager

#VU64956 Information Exposure Through Timing Discrepancy in Cisco Unified Communications Manager

Published: 2022-07-06

Vulnerability identifier: #VU64956

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20752

CWE-ID: CWE-208

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco Unified Communications Manager
Server applications / Other server solutions

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform brute-force attack.

The vulnerability exists due to insufficient protection of a system password. A remote attacker can observe the time it takes the system to respond to various queries and guess system password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cisco Unified Communications Manager: 12.5(1) - 14.0(1.10000.20)

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-timing-JVbHECOK
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz16266
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa91887

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Timing attack in Cisco Unified Communications Manager