Cisco Patches VoIP Phone Vulnerability
A bug in some implementations of the DNS protocol has left parts of Cisco's IP phone line vulnerable to DoS attacks. Cisco has a patch.
Acting on information provided by a U.K. government security group's advisory, Cisco has patched the software for several of its IP telephony products.
According to the U.K.'s National Infrastructure Security Co-ordination Center (NISCC), a vulnerability in some implementations of the DNS protocol could allow malicious individuals to effect a denial of service attack on certain systems.
NISCC's advisory included some details of the the vulnerability, noting that it affects DNS messages compressed to "easily fit in a UDP (define) packet." According to the advisory, some DNS implementations rely on recursion to decode such messages, and can enter into a loop that causes a DNS service to crash if it's fed instructions to go to an illegal address.
The affected Cisco products, according to the company's advisory, include Cisco IP Phones 7902/7905/7912, the Cisco ATA (Analog Telephone Adaptor) 186/188, as well as its Unity Express product and several of its ACNS devices. Some IP phones are not affected, nor is any Cisco product running the company's IOS.