Cisco Patches VoIP Phone Vulnerability

By Michael Hall | May 25, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/news/article.php/3507801/Cisco-Patches-VoIP-Phone-Vulnerability.htm

Acting on information provided by a U.K. government security group's advisory, Cisco has patched the software for several of its IP telephony products.

According to the U.K.'s National Infrastructure Security Co-ordination Center (NISCC), a vulnerability in some implementations of the DNS protocol could allow malicious individuals to effect a denial of service attack on certain systems.

NISCC's advisory included some details of the the vulnerability, noting that it affects DNS messages compressed to "easily fit in a UDP (define) packet." According to the advisory, some DNS implementations rely on recursion to decode such messages, and can enter into a loop that causes a DNS service to crash if it's fed instructions to go to an illegal address.

The affected Cisco products, according to the company's advisory, include Cisco IP Phones 7902/7905/7912, the Cisco ATA (Analog Telephone Adaptor) 186/188, as well as its Unity Express product and several of its ACNS devices. Some IP phones are not affected, nor is any Cisco product running the company's IOS.