CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
Critical Nessus Plugin ID 79124
SynopsisThe remote host is missing a vendor-supplied security patch.
DescriptionAccording to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
SolutionUpgrade to Cisco Unified Presence Server 10.5(1.12900.2) or later.