Cisco Unity Connection Web Interface SQL Injection Vulnerability

A vulnerability in the web interface of Cisco Unity Connection (UC) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by entering a maliciously crafted value containing SQL commands as an HTTP POST request parameter. An exploit could allow the attacker to determine the presence of certain values in the database.  Cisco has confirmed the vulnerability; however, software updates are not available. To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement may reduce the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available. This vulnerability was reported to Cisco by Paul Heneghan from NCIA/NCIRC.

Administrators are advised to contact the vendor regarding future updates and releases.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to allow only privileged users to access administration or management systems.

For additional information about SQL injection attacks and defenses, see Understanding SQL Injectionhttp://www.cisco.com/web/about/security/intelligence/sql_injection.html .

Administrators are advised to monitor affected systems.