Cisco Unity Reports Information Disclosure
The reports section in the shared directory of the Unity server exposes information to all domain users without verifying whether they are Unity users or even the users for whom certain information has been generated.
Cisco Unity 7.0
Cisco has acknowledged the issue and is issuing patches to correct it. More details could be found at http://www.cisco.com/warp/public/707/cisco-sr-20081008-unity.shtml.
In the short term it is recommended that a VoIP aware IPS product, such as VoIPguard, with signatures to detect attempts to exploit this issue, be implemented to prevent it from being exploited. Implementing best practices can limit the exposure of this issue. Cisco is recommending to manually remove the domain users from the share.
Cisco customers with a valid support agreement may wish to speak with their support contact in order to obtain further vendor details.
Each line represents an individual vulnerability or group of vulnerabilities. For example, "UCM Multiple Hardcoded Passwords" is presented here in a single line but was reported to Nortel as sixteen (16) individual vulnerabilities.
Click on a level for description
Vendor Response LegendPatch available
Attempting to address the issue
No vendor response