Vulnslist

find the latest Cisco vulnerabilities

Cisco Unified Customer Voice Portal Denial of Service Vulnerability

cisco-sa-20180117-cvp · High · Published · Updated

A vulnerability in the application server of the Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. The vulnerability is due to malformed SIP INVITE traffic received on the CVP during communications with the Cisco Virtualized Voice Browser (VVB). An attacker could exploit this vulnerability by sending malformed SIP INVITE traffic to the targeted appliance. An exploit could allow the attacker to impact the availability of services and data on the device, causing a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-cvp

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability; however, there are ways to mitigate this vulnerability.

1) Ensure the Cisco UCCE (Unified Contact Center Enterprise) infrastructure is configured to only allow incoming SIP traffic from trusted IP addresses.

2) Ensure third-party gateway(s) residing between the CVP & ISP are enabled for content filtering to drop packets containing malformed SIP headers or malicious inputs.

CVEsCVE-2018-0086
Cisco Bug IDsCSCve85840
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco Unified Customer Voice Portal (CVP)

Related Products

Product CVE Evidence
Cisco RV Series Routers CVE-2018-0086 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2018-0086 Cisco OpenVuln
Cisco Virtualized Voice Browser CVE-2018-0086 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2018-0086 Cisco OpenVuln