Cisco Unified Communication Manager (CUCM) is a special application running on a Linux host. Qualys VM supports Cisco Unified Communication Manager (CUCM) host discovery and QID assessment using Qualys Unix SSH authentication as described in our documentation.
How authentication works - First the Qualys scanner determines whether target host is Unix or Cisco device. And if it’s identified as CUCM device the scanner launches QIDs to gather version information using the command "show version active”.
Yes Qualys VM scans support discovering CUCM targets and properly identifying CUCM OS found on these targets when Qualys Unix SSH authentication is used. (Discovering CUCM targets using Qualys Unix Cisco type authentication is not supported.) CUCM discovery does not distinguish between “all-in-one” vs “cluster” deployments.
Target requirements
- SSH login in auth record must have permissions to run commands required for successful Unix authentication. See *NIX Authenticated Scan Process and Commands
- SSH login in auth record must have permissions to run the command “show version active”. This command is used to identify the CUCM OS properly.
Vulnerability QID testing is supported using SSH authentication. QID testing using SNMP authentication is currently not supported.
Permissions required for Unix SSH authentication are described in the help file Unix Authentication. The same permissions used for Unix SSH auth are used for CUCM OS discovery and QID detections.
Information Gathered QID - 45317 is returned in scan results if authentication was successful and CUCM OS was identified properly.
Vulnerable QIDs for the running OS version are flagged in scan results. For example if the target is running version 11.5, detections for that version appear in scan results.
Qualys CUCM QIDs are based on advisory information present on the Cisco website.
There are currently over 35 QIDs related to CUCM in the Qualys KnowledgeBase. To see a listing, go to the KnowledgeBase and search for vendor “cisco” and product “unified_communications_manager”. Your search results will show the available CUCM QIDs and you can view details on each.
The version list is dependent on the advisory information present on the Cisco website. The list of affected versions changes every time a new advisory is released and we add a QID for the same.
As of June 2018, we have coverage for following the CVEs for CUCM: "CVE-2010-0585,CVE-2010-0586, CVE-2011-1604, CVE-2011-1605, CVE-2011-1606, CVE-2011-1607, CVE-2011-1609, CVE-2011-1610, CVE-2013-3459, CVE-2013-3460, CVE-2013-3461,CVE-2013-3462, CVE-2011-3315, CVE-2017-3802, CVE-2017-3798, CVE-2017-3828, CVE-2017-3829, CVE-2017-3836, CVE-2017-12357, CVE-2018-0120, CVE-2018-0328
Keep in mind we are continuously updating our service, adding and updating QID detections. For complete details on current QID detections, please search the KnowledgeBase as described above and view QID details. You’ll find the latest QID detection info and capabilities including links to relevant CVEs.