A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient protection of a system password. An attacker could exploit this vulnerability by observing the time it takes the system to respond to various queries. A successful exploit could allow the attacker to determine a sensitive system password.
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Unified_communications_manager | Cisco | 12.5(1) (including) | 12.5(1)su6 (excluding) |
| Unified_communications_manager | Cisco | 14.0 (including) | 14su1 (excluding) |
| Unity_connection | Cisco | 12.5(1) (including) | 12.5(1)su6 (excluding) |
| Unity_connection | Cisco | 14.0 (including) | 14su1 (excluding) |