Cisco Systems Warns about Router Flaws

Today Cisco Systems released a warning that flaws in the router software could be a conduit for attacks on enterprise networks providing VoIP services. Cisco released two security alerts today along with repair details for Cisco CallManager, their VoIP service program. There are two flaws that currently exist in the software: one of which could allow an attacker to literally paralyze a Cisco VoIP telephony installation, the other flaw would enable someone with read only access to the system gain full privileges, according to the alerts.

The denial of service problem in CallManager VoIP services exists because the software does not manage certain network connections well, leaving it completely vulnerable to attacks. "This may lead to phones not responding, phones unregistering from Cisco CallManager, or could cause the Cisco CallManager to restart", according to the Cisco's company advisory. The second flaw affects only CallManager systems that have the multi level administration enabled. This bug could allow an administrative user with restricted, read-only access to gain full administrative privileges by using a special URL, Cisco said in an alert.

Both flaws affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0 and 4.1. Cisco has fixes available.