Cisco Releases VoIP-Related Security Warning

Most users simply love VoIP technology, because it offers them the possibility of making calls at very low prices (and sometimes even for free, just think of Skype or Yahoo! Messenger Beta, which is also a form of VoIP), with a relatively good quality of the connection.

However, this system is prone to attacks, due to the fact that it opens up different computer ports in order to connect to voice servers. And the latest example is that of Cisco Systems, who has identified several vulnerabilities in its products this week that could lead to denial-of-service attacks, as reported by Marguerite Reardon for CNET news.

Thus, the most important flaw was reported Tuesday when Cisco warned that hackers could cripple its IP telephony networks by exploiting flaws in its CallManager software, an essential component of Cisco's IP telephony technology, used for call signaling and call routing.

Cisco has already issued a patch for this flaw, and Internet Security Systems also has released software that can block the attack, to help customers as they test and install the Cisco patch.

By exploiting these flaws, an attacker could trigger an overflow in memory within a critical CallManager process. This can result in a denial-of-service condition, which will cause the CallManager server to shut down and reboot. Once the CallManager server is compromised, an attacker could redirect calls and eavesdrop on calls, as well as gain unauthorized access to networks and machines running Cisco VoIP, or voice over Internet Protocol, products.

The versions of the CallManager software affected by this flaw include CallManager 3.3 and earlier, 4.0 and 4.1., but fortunately, no attacks that exploit the CallManager flaws have been reported, said a Cisco representative.

The CallManager vulnerabilities are not deemed "critical," because the attacker would need to be inside the network in order to exploit it, said Michael Sutton, director of iDefense Labs.

"Because VoIP software is still relatively immature, it is less secure than other telephony solutions," said Neel Mehta, team lead of advanced research for Internet Security Systems. "There are also problems with the design of VoIP protocols that causes concern for people. These weaknesses haven't been exploited widely by hackers yet. But VoIP deployments are increasing fast, so it will become a bigger and bigger target."