Cisco Plugs VoIP Gateway Holes

Flaws in its voice-over IP gateways could let hackers eavesdrop on telephone calls and issue denial-of-service attacks on some services.

By Tim Gray | Posted Jul 14, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Network equipment supplier Cisco has issued patches for several security flaws in its voice-over IP gateways that hackers could exploit and use to eavesdrop on telephone calls.

The vulnerability could also be exploited to issue denial-of-service attacks on services managed by its VoIP software platform.

The most recent VoIP security flaws, discovered by security unit Internet Security Systems(ISS) X-Force team, are located in Cisco's Call Manager, an essential component to the functioning of any Cisco VoIP deployment that perform call signaling and call routing.

The vulnerabilities make it possible for an attacker to trigger a heap overflow within a critical Call Manager process, causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server, ISS said.

"Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers," Chris Rouland, chief technology officer at ISS, said in a statement.

"We are aware of several vulnerabilities that potentially affect the Cisco Call Manager software. To date, Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available," the company said.

Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available.

"An attacker may be able to redirect calls or perform eavesdropping as a result of this compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines with Cisco VoIP products," the company said.

No authentication is required for an attacker to exploit the vulnerability and compromise a network, according to ISS.

"Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes," Rouland said.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter