India Broadband Forum

Admin

Cisco has detailed two vulnerabilities in its Unified CallManager for VoIP systems. The flaws are serious - Symantec has rated the flaws a 10 out of a possible 10.

The are two flaws are reportedly in the command line management interface (CLI) for Cisco's Unified CallManager 5.0. The flaws would allow a logged-in administrator to gain root access privileges and execute code, overwrite files, and launch denial of service attacks, Cisco said.

CallManager 5.0 also includes a buffer overflow vulnerability that attackers can exploit by placing excessively long hostnames into SIP requests along with malicious code, paving the way for code execution and denial of service attacks, according to this report.

Cisco's Product Security Incident Response Team (PSIRT) plans to make software available to address the vulnerabilities.

Symantec rated the flaws so seriously in its DeepSight Threat Management System as they do not require an exploit.

The threat may be mitigated depending on the way the VoIP solution is deployed. To prevent unauthorised access, CallManager 5.0 solutions should be implemented using VLANs and access control lists that limit access to the actual call processing servers, suggests one solutions provider.

Cisco also revealed a vulnerability that affects the Cisco Router Web Setup tool (CRWS), used to configure routers. This flaw hinges on the application's failure to properly authenticate remote Web-based users, and could allow an attacker to gain elevated administration privileges.