July 14, 2005 9:53 AM PDT
Cisco warns of security flaws
- Related Stories
Cisco targets Net phone software flawMay 24, 2005
Cisco finds more security flaws in router softwareJanuary 26, 2005
Cisco flaw opens networks to attacksAugust 19, 2004
The most noteworthy flaw was reported Tuesday when Cisco warned that hackers could cripple its IP telephony networks by exploiting flaws in its CallManager software, an essential component of Cisco's IP telephony technology, which is used for call signaling and call routing.
Cisco has issued a patch for the vulnerability, which can be found on its Web site. Internet Security Systems also has released software that can block the attack, to help customers as they test and install the Cisco patch.
By exploiting the discovered vulnerabilities, an attacker can trigger an overflow in memory within a critical CallManager process. This can result in a denial-of-service condition, which will cause the CallManager server to shut down and reboot. Once the CallManager server is compromised, an attacker could redirect calls and eavesdrop on calls, as well as gain unauthorized access to networks and machines running Cisco VoIP, or voice over Internet Protocol, products.
Versions of the CallManager software that are vulnerable include CallManager 3.3 and earlier, 4.0 and 4.1. No attacks have been reported that exploit the CallManager flaws, said a Cisco representative.
The CallManager vulnerabilities are not considered "critical," because the attacker would need to be inside the network in order to exploit it, said Michael Sutton, director of iDefense Labs.
Voice over IP technology allows companies to send voice traffic over the same infrastructure they use for data traffic, such as e-mail. The technology has been growing in popularity over the past few years, because it helps companies save costs and provides more flexibility to employees. According to research firm Gartner, by 2007, 97 percent of new phone systems installed in North America will be VoIP-based or will use a combination of traditional and VoIP technology. Cisco claims to have sold some 5 million VoIP phones to customers throughout the world.
Despite the ease-of-use of VoIP, the technology behind it is complex, and security can often be an issue, security experts have said.
"Because VoIP software is still relatively immature, it is less secure than other telephony solutions," said Neel Mehta, team lead of advanced research for Internet Security Systems. "There are also problems with the design of VoIP protocols that causes concern for people. These weaknesses haven't been exploited widely by hackers yet. But VoIP deployments are increasing fast, so it will become a bigger and bigger target."
Cisco issued a another warning back in May regarding a flaw that could crash its IP telephones. The vulnerability was associated with Cisco IP phones running the Domain Name Server, or DNS, protocol. DNS handles the translation of domain names into IP addresses. DNS servers are located throughout the Internet to perform this translation and to ensure that IP packets arrive at their proper destinations. Cisco issued a software patch for the vulnerability when it was first reported.
In general, VoIP networks are less secure than traditional data networks, said Elizabeth Hurrell, an analyst at Forrester Research. Because voice traffic is sensitive to delays, traditional firewalls that inspect packets can't be used. While it may not matter if e-mail packets are delayed getting to their destination, delayed voice packets will make a call sound choppy, which is unacceptable. To alleviate this problem, certain ports will often be left open, which also opens the network up to potential attack.
"Many companies are unaware that VoIP has unique security requirements," Hurrell said. "Companies really have to think differently about security when it comes to VoIP. Their traditional security solutions will likely not provide them enough protection."
On Wednesday, Cisco announced security vulnerabilities in two other products that could cause denial-of-service attacks. It reported that the Cisco ONS 15216 OADM (Optical Add/Drop Multiplexer) contains a vulnerability in the handling of telnet sessions that can cause a denial-of-service condition.
And the Cisco Security Agent, a network security software agent that provides threat protection for server and desktop computers, can also be exploited by a specially crafted IP packet, which may cause the device to stop functioning and reload. Patches for the OADM product and the Security Agent can be found on Cisco's Web site.
Sutton also rated these vulnerabilities as important, but not "critical."
CNET News.com's Dawn Kawamoto contributed to this report.