Cisco finds security flaw in router software

Cisco Systems routers running certain telephony features could be vulnerable to denial-of-service attacks, the company warned Friday.

Cisco said routers running the IOS Telephony Service, Cisco CallManager Express and Survivable Remote Site Telephony features could be vulnerable. These features are embedded in the company's Internetwork Operating Software, or IOS, which is used on all of Cisco's IP routers.

The CallManager Express feature enables Cisco IP routers to handle call processing for Cisco IP phones. Survivable Remote Site Telephony gives companies with branch offices an automated backup mechanism to improve the reliability of their IP voice networks. If the wide-area network link to a remote office fails and the connection to the Cisco CallManager is lost, the branches' phones would automatically be redirected to the Cisco branch router running the Survivable Remote Site Telephony feature. This router would take over and provide the same function as the CallManager. When the wide-area link is restored, the phones would automatically reregister with the original Cisco CallManager.

These features all use Skinny Call Control Protocol, the primary signaling protocol for Cisco's CallManager. Cisco said in its warning that certain "malformed packets" sent to the port handling the Skinny Call Control Protocol may cause the device to reload. An attacker exploiting this bug could flood the device with malformed packets that would cause the device to reload over and over again, causing a denial-of-service attack.

Cisco notes that only devices running IOS with these telephony features are vulnerable to this sort of attack. A free software patch is available from the company to fix the problem. More information about the vulnerability is available on Cisco's Web site.