Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-253: Cisco Unified Presence Denial of Service Vulnerabilities

[CVE-2009-2874 & CVE-2009-2052]

October 19, 2009 13:00 GMT
PROBLEM: Two vulnerabilities were reported in Cisco Unified Presence. A remote user can cause denial of service conditions.
PLATFORM: Cisco Unified Presence 1.x versions, Cisco Unified Presence 6.x versions prior to 6.0(6), Cisco Unified Presence 7.x versions prior to 7.0(4).
ABSTRACT: A remote user can flood TCP ports 16200 or 22794 with completed connections to cause the target TimesTenD process to crash and restart.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-253.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Oct/1023018.html

  CVE: CVE-2009-2874
CVE-2009-2052
IMPACT ASSESSMENT: This risk is medium. A remote user can cause the TimesTenD process to crash and restart or cause voice services to become unavailable. 
[***** Start CVE-2009-2874 & CVE-2009-2052 *****]
Discussion:
Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. 

Network Flooding Vulnerability

Cisco Unified Presence contains a denial of service (DoS) vulnerability that may cause the TimesTenD process to fail when TCP ports 16200 or 22794 are flooded with connections. TCP 3-way handshakes must be completed for the attack to be successful. The TimesTenD process will be automatically restarted upon failure. This vulnerability is documented in Cisco Bug ID CSCsy17662 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2874.

Network Connection Tracking Vulnerability

Cisco Unified Presence contains a DoS vulnerability that involves the tracking of network connections by the embedded firewall. An attacker can overwhelm the table that is used to track network connections and prevent new connections from being established to system services by establishing many TCP connections with a vulnerable system. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw52371 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2052.

Solution:
The vendor has released updates.  The URLs are listed below:

Cisco Unified Presence version 6.0(6) is available at the following link:

http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=&isPlatform=Y&mdfid=281010019&sftType=Unified+Presence+Server+%28CUPS%29+Updates&treeName=Voice+and+Unified+Communications&modelName=Cisco+Unified+Presence+Version+6.0&mdfLevel=null&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N ( registered customers only)

Cisco Unified Presence version 7.0(5) is available at the following link:

http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified+Presence+Server+%28CUPS%29+Updates&mdfid=281820245&treeName=Voice+and+Unified+Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco+Unified+Presence+Version+7.0&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N ( registered customers only)

Note: Administrators running Cisco Unified Presence version 1.x are encouraged to upgrade to version 6.0 or later.

[***** End CVE-2009-2874 & CVE-2009-2052 *****]
DOE-CIRC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788