Cisco Plugs VoIP Gateway Holes

Flaws in its voice-over IP gateways could let hackers eavesdrop on telephone calls and issue denial-of-service attacks on some services.

By  Tim Gray | Jul 14, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Network equipment supplier Cisco has issued patches for several security flaws in its voice-over IP gateways that hackers could exploit and use to eavesdrop on telephone calls.

The vulnerability could also be exploited to issue denial-of-service attacks on services managed by its VoIP software platform.

The most recent VoIP security flaws, discovered by security unit Internet Security Systems(ISS) X-Force team, are located in Cisco's Call Manager, an essential component to the functioning of any Cisco VoIP deployment that perform call signaling and call routing.

The vulnerabilities make it possible for an attacker to trigger a heap overflow within a critical Call Manager process, causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server, ISS said.

"Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers," Chris Rouland, chief technology officer at ISS, said in a statement.

"We are aware of several vulnerabilities that potentially affect the Cisco Call Manager software. To date, Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available," the company said.

Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available.

"An attacker may be able to redirect calls or perform eavesdropping as a result of this compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines with Cisco VoIP products," the company said.

No authentication is required for an attacker to exploit the vulnerability and compromise a network, according to ISS.

"Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes," Rouland said.

tgray@jupitermedia.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >