Guest

Preview Tool

Cisco Bug: CSCun63825 - IMS Java library does not check FQDN during TLS connection with LDAP

Last Modified

Nov 16, 2020

Products (6)

  • Cisco Unified Communications Manager (CallManager)
  • Cisco Business Edition 6000 Version 8.5
  • Cisco Business Edition 5000 Version 8.5
  • Cisco Unity Connection Version 8.5
  • Cisco Business Edition 6000 Version 8.6
  • Cisco Unified Communications Manager Version 8.5

Known Affected Releases

8.5(1)

Description (partial)

Symptom:
Cisco Unified Communication Manager devices do not strictly enforce the fully qualified domain name checking of TLS connections on certain connection types.  This could result in an 
attacker who was able to steal the private certificate of an LDAP server to impersonate that device.

This issue was first noticed when during the investigation of why CTI Applications e.g. - (CUCILync in Hard Phone Control Mode) were unable to authenticate with LDAP.  It was discovered 
that the CTI TLS validation library preformed much stricter certificate checks than the main Cisco UCM applications.  The strict checks can be worked around by forcing IP Address checking 
only as described in the workarounds below.  Best practices dictate that strict FQDN enforcement should be required by default when processing all TLS connections and the behavior of all 
TLS validation libraries were unified.  This change may impact the ability of Cisco UCM to connect to LDAP servers that are placed behind load-balancers.

Conditions:
The LDAP server configured in CCMAdmin uses a DNS Load Balancer.  (e.g. - the configuration points to adaccess.example.com, which then load balances between many real LDAP servers 
based on geography, etc.  The LDAP server that answers the request could be any one of them, and will have a FQDN other than 'adaccess.example.com'.)

Related Community Discussions

CUCM 10.5.2, CCMAadmin Login with LDAP problem
Hello everybody I have a small but important problem... We have a CUCM Cluster with Version 10.5.2.12901-1. I did the last SU2a Update so before we were using Version 10.5.2.10000-5. We have two LDAP Directory. The first for all Admins and the second one for Standard End User. Before I did the SU1a Update, we could Login to the CCMAdmin Page with our AD User and Password. Since I have updated the CUCM, it doesn't work anymore. We didn't change anything about cerificates or something else. Just installed ...
Latest activity: Oct 16, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.