|
Call Manager Flaw Exposes Cisco VoIP |
|
|
|
Written by Adam Gosling
|
|
Tuesday, 20 June 2006 |
Vulnerabilities discovered in Cisco's Call Manager software by
a Kansas City
solutions provider, FishNet Security, could expose users' account information and
allow hackers to reconfigure VoIP settings.
According to a story running on Computer
Reseller News, FishNet released a report yesterday revealing it had found vulnerabilities
in versions 3.1 and higher of Cisco Systems' premier IP Telephony software,
Call Manager.
Call Manager is believed to have a vulnerability affecting
input validation and output encoding in its Web administration interface which
would allow hackers to execute cross-site scripting attacks. The attack would
require the hacker to trick users into clicking a URL delivered either in an
email or Web page.
In attack described by FishNet, the attackers would send a
request to the Call Manager Web interface that causes malicious JavaScript to
be included.
If the administrator could be tricked into submitting this
tainted request, the malicious code would execute in the victim's Web browser
and potentially give attackers the ability to delete or reconfigure system
components and gain access to confidential user information, according to the
report.
Cisco's immediate response was to recommended users verify
link destinations before clicking on URLs. It has also fixed the vulnerability and
will incorporate them in future releases.
FishNet recommends administrators limit network connectivity
to Call Manager wherever possible to prevent hackers from discovering public
Web interfaces.
"Simple Google queries are all an attacker needs in
this case to obtain the target Call Manager address. There are few compelling
reasons one could present that would justify public access to Call Manager web
interfaces," writes FishNet.
Related news items Newer news items
Older news items
|
|
|
|
