Network management Toolkit

Cisco sounds multiple security warnings

Marguerite Reardon CNET News

Published: 15 Jul 2005 09:40 BST

Cisco identified several vulnerabilities in its products this week that could lead to DoS attacks.

The most noteworthy flaw was reported Tuesday when Cisco warned that hackers could cripple its Internet telephony networks by exploiting flaws in its CallManager software, an essential component of Cisco's VoIP technology, which is used for call signalling and call routing.

Cisco has issued a patch for the vulnerability, which can be found on its Web site. Internet Security Systems (ISS) also has released software that can block the attack, to help customers as they test and install the Cisco patch.

By exploiting the discovered vulnerabilities, an attacker can trigger an overflow in memory within a critical CallManager process. This can result in a DoS condition, which will cause the CallManager server to shut down and reboot. Once the CallManager server is compromised, an attacker could redirect calls and eavesdrop on calls, as well as gain unauthorised access to networks and machines running Cisco VoIP products.

Versions of the CallManager software that are vulnerable include CallManager 3.3 and earlier, 4.0 and 4.1. No attacks have been reported that exploit the CallManager flaws, said a Cisco representative.

The CallManager vulnerabilities are not considered "critical", because the attacker would need to be inside the network in order to exploit it, said Michael Sutton, director of iDefense Labs.

According to research firm Gartner, by 2007, 97 percent of new phone systems installed in North America will be VoIP-based or will use a combination of traditional and VoIP technology. Cisco claims to have sold some five million VoIP phones to customers throughout the world.

Despite the ease-of-use of VoIP, the technology behind it is complex, and security can often be an issue, security experts have said.

"Because VoIP software is still relatively immature, it is less secure than other telephony solutions," said Neel Mehta, team lead of advanced research for ISS. "There are also problems with the design of VoIP protocols that causes concern for people. These weaknesses haven't been exploited widely by hackers yet. But VoIP deployments are increasing fast, so it will become a bigger and bigger target."

NISCC issued a warning pertaining to Cisco VoIP gear back in May regarding a flaw that could crash its IP telephones. The vulnerability was associated with Cisco IP phones running the DNS protocol. DNS handles the translation of domain names into IP addresses. DNS servers are located throughout the Internet to perform this translation and to ensure that IP packets arrive at their proper destinations. Cisco issued a software patch for the vulnerability when it was first reported.

In general, VoIP networks are less secure than traditional data networks, said Elisabeth Hurrell, an analyst at Forrester Research. Because voice traffic is sensitive to delays, traditional firewalls that inspect packets can't be used. While it may not matter if email packets are delayed getting to their destination, delayed voice packets will make a call sound choppy, which is unacceptable. To alleviate this problem, certain ports will often be left open, which also opens the network up to potential attack.

"Many companies are unaware that VoIP has unique security requirements," Hurrell said. "Companies really have to think differently about security when it comes to VoIP. Their traditional security solutions is likely to not provide them enough protection."

On Wednesday, Cisco announced security vulnerabilities in two other products that could allow DoS attacks. It reported that the Cisco ONS 15216 OADM contains a vulnerability in the handling of telnet sessions that can cause a denial-of-service condition.

And the Cisco Security Agent, a network security software agent that provides threat protection for server and desktop computers, can also be exploited by a specially crafted IP packet, which may cause the device to stop functioning and reload. Patches for the OADM product and the Security Agent can be found on Cisco's Web site.

Sutton also rated these vulnerabilities as important, but not "critical".

CNET News.com's Dawn Kawamoto contributed to this report.