Cisco issues 10 security updates

On Wednesday, Cisco Systems issued 10 security updates--three of which address vulnerabilities that can cause "moderate" damage to users' systems.

Although Cisco lists the security flaws as "moderate," it ranks them a "4" on its 5-point severity scale. And in two of the three cases, attackers could gain access without the need to authenticate their identity.

Various versions of the Cisco CallManager and IOS products contain the security flaws, according to Cisco's security advisory.

The Cisco CallManager and IOS products contain security flaws that relate to processing malformed Session Initiation Protocol (SIP) packets. The packets, which are used to create and manage communications in such applications as VoIP and teleconferencing, could trigger a denial-of-service attack as they attempt to handle malicious SIP packets.

Security flaws were also found in Cisco IOS relating to its Next Hop Resolution Protocol packets, as well as its secure copy server operations in some versions of IOS.

Cisco issued an update for numerous versions of IOS, in an effort to patch a security flaw within its Next Hop Resolution Protocol packets and their boundary checking parameters. Malicious attackers could exploit the vulnerabilities by sending a malicious packet to users' systems, triggering a buffer overflow attack.

In the case of the secure copy (SCP) server flaws, an authenticated remote attacker could exploit a flaw in certain versions of Cisco IOS. The vulnerabilities are a result of insufficient enforcement of access restrictions, when performing secure copy operations within IOS. As a result, attackers with minimal read-access privileges could perform SCP operations as though they had maximum privileges.