Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, July 14, 2005

Cisco Plugs VoIP Gateway Holes

Network equipment supplier Cisco has issued patches for several security flaws in its voice-over IP gateways that hackers could exploit and use to eavesdrop on telephone calls.  The vulnerability could also be exploited to issue denial-of-service attacks on services managed by its VoIP software platform.

The vulnerabilities make it possible for an attacker to trigger a heap overflow within a critical Call Manager process, causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server, ISS said.

“Like many of the applications that are driving today’s businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers,” Chris Rouland, chief technology officer at ISS, said in a statement.  “We are aware of several vulnerabilities that potentially affect the Cisco Call Manager software.”

To date, Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available,” the company said. 

“An attacker may be able to redirect calls or perform eavesdropping as a result of this compromise.  Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines with Cisco VoIP products,” the company said.  No authentication is required for an attacker to exploit the vulnerability and compromise a network, according to ISS.

“Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes,” Rouland said.

Posted on 07/14