Multiple Vulnerabilities Affect Cisco Unified Communications Manager Vulnerability Summary Severity: High Advisory ID: cisco-sa-20130821-cucm Initial Release Date: August 21, 2013 CVE ID: CVE-2013-3459, CVE-2013-3460, CVE-2013-3461 CVSS Score: Base Score 8.5, Temporal Score 7.0 Workspaces: Not listed Cisco Bug ID: CSCub35869, CSCub85597, CSCud54358, CSCuf93466 Affected Products Cisco Unified Communications Manager 7.1(x), 8.5(x), 8.6(x), 9.0(x), 9.1(x) Vulnerability Details Denial of Service Vulnerabilities Cisco Unified Communications Manager 7.1(x): A vulnerability exists due to improper error handling, allowing an unauthenticated remote attacker to cause a denial of service on the affected device. Cisco Unified Communications Manager 8.5(x), 8.6(x), 9.0(x): Insufficient rate limiting on port 5060 leads to denial of service. Cisco Unified Communications Manager 8.5(x), 8.6(x), 9.0(1): Insufficient traffic control on Session Initiation Protocol (SIP) port 5060 results in denial of service. Buffer Overflow Vulnerability Cisco Unified Communications Manager 7.1(x), 8.5(x), 8.6(x), 9.0(x), 9.1(x): Insufficient boundary checking leads to buffer overflow. Fixed Software Recommended Updated Versions: - 7.1(5b)su6a - 8.5(1)su6, 8.6(2a)su3, 8.6(5)BE3K - 9.1(2) or later Exploitation and Public Disclosure Cisco Product Security Incident Response Team (PSIRT) has not observed any public disclosures or malicious exploitation of the vulnerabilities described above. The vulnerabilities were discovered during internal testing.