|
Cisco Call Manager Security |
|
|
|
Written by Adam Gosling
|
|
Friday, 15 July 2005 |
Internet Security Systems (ISS) managed to break Cisco Systems VoIP implementation. Cisco CallManager users need to take remedial action.
The security vulnerabilities were found by ISS in the software-based call-processing component of the Cisco IP telephony solution. Cisco CallManager 3.3 and earlier, 4.0, and 4.1 are vulnerable to Denial of Service (DoS) attacks, memory leaks, and memory corruption which may result in services being interrupted, servers rebooting, or arbitrary code being executed, Cisco admitted in a security bulletin posted prior to ISS going public.
In its announcement ISS explained that by exploiting several vulnerabilities an attacker is able to trigger a heap overflow causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server.
An attacker could then redirect calls or eavesdrop, as well as gain unauthorised access (including remote code execution) to networks and machines running Cisco VoIP products.
"Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes," said Chris Rouland, chief technology officer at Internet Security Systems.
"Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers."
Cisco has made free software available to address these vulnerabilities, but it’s probably best if you go here and check the advisory yourself.
When considering software upgrades, Cisco recommends that you also please also consult this document and any subsequent advisories to determine exposure and a complete upgrade solution.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) by phone or email
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
.
www.iss.net
Related news items Newer news items
Older news items
|
|
|
|
