CWE
255
Advisory Published
Updated

CVE-2009-0632

First published: Thu Mar 12 2009(Updated: )

The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.1, 4.2 before 4.2(3)SR4b, 4.3 before 4.3(2)SR1b, 5.x before 5.1(3e), 6.x before 6.1(3), and 7.0 before 7.0(2) sends privileged directory-service account credentials to the client in cleartext, which allows remote attackers to modify the CUCM configuration and perform other privileged actions by intercepting these credentials, and then using them in requests unrelated to the intended synchronization task, as demonstrated by (1) DC Directory account credentials in CUCM 4.x and (2) TabSyncSysUser account credentials in CUCM 5.x through 7.x.

Credit: ykramarz@cisco.com

Affected SoftwareAffected VersionHow to fix
Cisco Unified Communications Manager Session Management Edition=5.1\(3c\)
Cisco Unified Communications Manager Session Management Edition=6.1\(2\)
Cisco Unified Communications Manager Session Management Edition=5.1\(2a\)
Cisco Unified Communications Manager Session Management Edition=6.0\(1\)
Cisco Unified Communications Manager Session Management Edition=5.1\(2\)
Cisco Unified Communications Manager Session Management Edition=4.2\(3\)sr2b
Cisco Unified Communications Manager Session Management Edition=5.0
Cisco Unified Communications Manager Session Management Edition=4.3\(2\)sr1
Cisco Unified Communications Manager Session Management Edition=5.1\(2b\)
Cisco Unified Communications Manager Session Management Edition=6.1
Cisco Unified Communications Manager Session Management Edition=4.2
Cisco Unified Communications Manager Session Management Edition=4.3
Cisco Unified Communications Manager Session Management Edition=6.1\(3\)
Cisco Unified Communications Manager Session Management Edition=6.1\(1\)
Cisco Unified Communications Manager Session Management Edition=5.1\(3d\)
Cisco Unified Communications Manager Session Management Edition=4.2\(3\)sr1
Cisco Unified Communications Manager Session Management Edition=4.3\(1\)sr.1
Cisco Unified Communications Manager Session Management Edition=7.0\(1\)
Cisco Unified Communications Manager Session Management Edition=4.2\(3\)sr4
Cisco Unified Communications Manager Session Management Edition=5.1\(3\)
Cisco Unified Communications Manager Session Management Edition=4.1
Cisco Unified Communications Manager Session Management Edition=6.0\(1a\)
Cisco Unified Communications Manager Session Management Edition=5.1\(1\)
Cisco Unified Communications Manager Session Management Edition=7.0
Cisco Unified Communications Manager Session Management Edition=4.3\(2\)
Cisco Unified Communications Manager Session Management Edition=6.1\(2\)su1
Cisco Unified Communications Manager Session Management Edition=5.1\(3a\)
Cisco Unified Communications Manager Session Management Edition=6.0
Cisco Unified Communications Manager Session Management Edition=4.2\(3\)sr3
Cisco Unified Communications Manager Session Management Edition=6.1\(1a\)

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2009-0632?

    CVE-2009-0632 is rated as a medium severity vulnerability due to its potential to expose sensitive credentials.

  • How do I fix CVE-2009-0632?

    To fix CVE-2009-0632, upgrade to a patched version of Cisco Unified Communications Manager as specified in the security advisory.

  • What kind of vulnerabilities does CVE-2009-0632 expose?

    CVE-2009-0632 exposes privileged directory-service account credentials, which can lead to unauthorized access.

  • What versions are affected by CVE-2009-0632?

    CVE-2009-0632 affects multiple versions of Cisco Unified Communications Manager, specifically versions prior to 4.2(3)SR4b, 4.3(2)SR1b, 5.1(3e), and others listed in the advisory.

  • What components of Cisco Unified Communications Manager are impacted by CVE-2009-0632?

    The CVE-2009-0632 vulnerability affects the IP Phone Personal Address Book (PAB) Synchronizer feature of Cisco Unified Communications Manager.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203