Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
5
Replies

Cisco External Jabber (RMA) Security Questions

Muhammad Irfan
Level 1
Level 1

‎03-23-2015 01:22 PM - edited ‎03-17-2019 05:00 PM

Hi Team,

We have just deployed external jabber with Expressway-C and E 8.5 version. Our security team has done some security audit and raise some security concern.

Kindly advise if you can on these points.

 

1- Security team is able to find the target system’s version using Metasploit and also enumerate the verbs allowed from external world.

Enumerated Information:
Version :- Cisco Video Communication Server (Tanderberg) X8.5.1
Verbs Supported :- INVITE, ACK, BYE, CANCEL, INFO, REFER, NOTIFY

2- Username and password stored in clear text in jabber-config.xml file.
Although this is only installed upon successful Jabber login, so user credentials are needed, an employee could use this account to hide any attacks.File Path: C:\Users\UserName\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config\jabber-config.xml

3- Security team was able to send the multiple INVITE flood (i.e.; DOS test) to  extension without getting blocked.
 

4- The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
An attacker could flood the traffic between the endpoint and the destination, trying to force an encryption to downgrade. If
this is possible, an attacker could capture traffic and perform key bruteforcing at a later stage. Numerous insecurities in this
cipher could lead to a successful decryption.

Labels:
0 Helpful
5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

‎03-23-2015 05:19 PM

Regarding point 3, is this flooding INVITES on the VCS expressway?? 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Muhammad Irfan
Level 1
Level 1
In response to Dennis Mink

‎03-24-2015 12:03 AM

Yes it is from Expressway to internal CUCM network

0 Helpful

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎03-24-2015 07:49 PM

  1. Not possible to obscure AFAIK on VCS/Expressway.
  2. Don't use BDI in your jabber-config.xml. Use either EDI or UDS instead. Since only UDS is supported via Expressway/MRA anyway that would probably be your best bet.
  3. I'm unclear who sourced the multiple INVITE messages: an authenticated user via Expressway, someone with sufficient network access to spoof Expressway-C's IP address and send traffic to CUCM, or what?
    • CUCM has an throttle which the Expressway MRA guide has you raise or effectively disable. This is because CUCM always assumed that one IPv4 address represented one user/station. Expressway effectively breaks this rule and at present CUCM doesn't do throttling on a per-registration basis.
      Unified CM denial of service threshold
      High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
      If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold (System > Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
  4. I believe they are referring to what was commonly called the SSL POODLE vulnerability for which Cisco published a Security Advisory ( http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle ) and has since released a Jabber version which addresses it ( https://tools.cisco.com/bugsearch/bug/CSCus03203 ) in Jabber for Windows 10.6(0).

 

0 Helpful

Muhammad Irfan
Level 1
Level 1
In response to Jonathan Schulenberg

‎03-25-2015 02:57 AM

Thank you very much Jonathan,

 

For point one, I am not clear, the security auditor told us that they are able to find the version of system and enumerate the verbs.

 

Attacker can check for version specific vulnerabilities on internet and perform the targeted attack.Able to find the target system’s version using Metasploit and also enumerate the verbs allowed from external world.

Enumerated Information:
Version :- Cisco Video Communication Server (Tanderberg) X8.5.1
Verbs Supported :- INVITE, ACK, BYE, CANCEL, INFO, REFER, NOTIFY		HighIt’s recommended to hide the system version and also the supported verbs.

 

 

 

for third point following is the detail.

Attacker can generate multiple such request and flood the SIP gateway or particular extension leading to Denial of service.We were able to send the multiple INVITE flood (i.e.; DOS test) to XXXX@example.com extension without getting blocked.
151.253.1.52:5060		HighIts recommended INVITE flood should be blocked by the device, in order to avoid the DOS.

 

Appreciate if you could also clear these points.

 

0 Helpful

Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Muhammad Irfan

‎03-25-2015 08:33 AM

Take a look at the Intrusion Protection features on Expressway-E. The Cisco Expressway Administrator Guide (X8.5) covers this starting on page 29.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents