Cisco patches VoIP vuln
Print storyIoS update wards off hackers
Posted in Enterprise Security, 25th January 2005 13:01 GMT
Free whitepaper – The shortcut guide to managing certificate lifecycles
Cisco is advising users of its IP telephony to update their software following the discovery of a flaw that might allow hackers to mount denial of service attacks.
The vulnerability affects versions of Cisco's core Internetwork Operating System (IOS) software configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) services. By sending malformed control messages a cracker could cause devices such as VoIP routers running the vulnerable software to reload. The trick could be exploited repeatedly to create a Denial of Service (DoS) attack against targeted networks.
Cisco has updated affected versions of its software (12.1YD, 12.2T, 12.3 and 12.3T) to block the exploit. Links to these free software upgrades, along with advice on suggested workarounds, can be found in Cisco's advisory. Cisco said it isn't aware of reports of malicious exploitation of the vulnerability.
The vulnerability was originally reported to Cisco by penetration testing firm SecureTest, whose previous research on IP telephony vulnerabilities has been hotly disputed by the networking vendor. ®
Related stories
Cisco VoIP kit open to 'snooping attacks'
Cisco dismisses VoIP snooping concerns
Cisco adds scrambler to IP telephony
Cisco fixes 'decoy attack' in security software
Free whitepaper – Securing your Apache web server with a Thawte digital certificate
The best practices guide for application security
Avoiding 7 common mistakes of IT security compliance
The starter PKI program
Airport insecurity: the case of lost laptops
The mandate for application security
Google cloud told to encrypt itself
Buggy 'smart meters' open door to power-grid botnet
Chinese firm hits back at cyberspy claims
BlockMaster SafeStick hardware-encrypted USB drive