|
Cisco VoIP Vulnerability Rated A 10 |
|
|
|
Written by Adam Gosling
|
|
Thursday, 13 July 2006 |
Cisco has detailed two vulnerabilities in its Unified CallManager
for VoIP systems. The flaws are serious - Symantec has rated the flaws a 10 out
of a possible 10.
The are two flaws are reportedly in the command line
management interface (CLI) for Cisco's Unified CallManager 5.0. The flaws would
allow a logged-in administrator to gain root access privileges and execute
code, overwrite files, and launch denial of service attacks, Cisco said.
CallManager 5.0 also includes a buffer overflow
vulnerability that attackers can exploit by placing excessively long hostnames
into SIP requests along with malicious code, paving the way for code execution
and denial of service attacks, according to this
report.
Cisco's Product Security Incident Response Team (PSIRT) plans
to make software available to address the vulnerabilities.
Symantec rated the flaws so seriously in its DeepSight
Threat Management System as they do not require an exploit.
The threat may be mitigated depending on the way the VoIP
solution is deployed. To prevent unauthorised access, CallManager 5.0 solutions
should be implemented using VLANs and access control lists that limit access to
the actual call processing servers, suggests one solutions provider.
Cisco also revealed a vulnerability that affects the Cisco
Router Web Setup tool (CRWS), used to configure routers. This flaw hinges on
the application's failure to properly authenticate remote Web-based users, and
could allow an attacker to gain elevated administration privileges.
Related news items Newer news items
Older news items
|
|
|
|
