Cisco Unified Communications Manager CTLProvider.exe buffer overflow (SSL_Voip_Data_Collector_BO)

About this signature or vulnerability

RealSecure Desktop, Proventia Network IPS, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature looks for a large data collector string.

This signature looks for a large CUCM data collector string.


Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Desktop: eqb, Proventia Network IPS: XPU 1.95, Proventia Network IDS: XPU 24.56, Proventia Desktop: 1960, Proventia-G 1.1 and earlier: XPU 24.56, IBM Security Server Protection for Windows: 1.0.914.1960, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 2.1.14.2400, RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, BlackICE Server Protection: 3.6.cqb, BlackICE PC Protection: 3.6cqb, Proventia Server IPS for Linux technology: 1.95, Virtual Server Protection for Vmware: 1.0

Systems affected

Cisco Unified CallManager: 5.0, Cisco Unified CallManager: 3.3(5)SR2, Cisco Unified CallManager: 4.1(3)SR4, Cisco Unified CallManager: 4.2(3)SR1, Cisco Unified Communications Manager: 4.3(1), Cisco Unified Communications Manager: 5.1(1)

Type

Unauthorized Access Attempt

Vulnerability description

The Certificate Trust List (CTL) Provider service (CTLProvider.exe) of the Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, is vulnerable to a heap-based buffer overflow caused by an off-by-one error. By sending a specially-crafted packet containing a negative value, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system or cause the service to crash.

How to remove this vulnerability

Refer to cisco-sa-20070711-cucm for patch, upgrade, or suggested workaround information. See References.

References

cisco-sa-20070711-cucm
Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml

IBM Internet Security Systems Protection Advisory July 11, 2007
Cisco Call Manager CTLProvider.exe Remote Code Execution
http://www.iss.net/threats/270.html

ISS X-Force
Cisco Unified Communications Manager CTLProvider.exe buffer overflow
http://www.iss.net/security_center/static/31437.php

CVE
CVE-2006-5277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5277