Vulnerability identifier: #VU64956
Vulnerability risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-208
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Unified Communications Manager
Server applications /
Other server solutions
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to perform brute-force attack.
The vulnerability exists due to insufficient protection of a system password. A remote attacker can observe the time it takes the system to respond to various queries and guess system password.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco Unified Communications Manager: 12.5(1) - 14.0(1.10000.20)
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-timing-JVbHECOK
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz16266
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa91887
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.