CVE-2009-0632

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions 4.1 through 4.2 before 4.2(3)SR4b Cisco Unified Communications Manager versions 4.3 before 4.3(2)SR1b Cisco Unified Communications Manager versions 5.x before 5.1(3e) Cisco Unified Communications Manager versions 6.x before 6.1(3) Cisco Unified Communications Manager versions 7.0 before 7.0(2)

Description The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager sends privileged directory-service account credentials to the client in cleartext. This allows remote attackers to modify the configuration and perform other privileged actions by intercepting these credentials and using them in unrelated requests. The vulnerability affects DC Directory account credentials in versions 4.x and TabSyncSysUser account credentials in versions 5.x through 7.x.

Recommendations For version 4.1, update to a version after 4.2(3)SR4b to resolve the issue. For versions 4.2 before 4.2(3)SR4b, update to 4.2(3)SR4b or later. For versions 4.3 before 4.3(2)SR1b, update to 4.3(2)SR1b or later. For versions 5.x before 5.1(3e), update to 5.1(3e) or later. For versions 6.x before 6.1(3), update to 6.1(3) or later. For versions 7.0 before 7.0(2), update to 7.0(2) or later.