NETWORKING

  • 07/14/2005
    5:50 PM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Attackers Could Eavesdrop On Cisco-Routed VoIP Calls

Flaws in Cisco's voice-over-Internet (VoIP) software could allow an attacker to bring down the alternative-to-traditional-telephone service, or access the server that initiates and routes Web-based calls, a security firm says.
Flaws in Cisco's Voice-over-Internet Protocol (VoIP) software could allow an attacker to bring down the alternative-to-traditional-telephone service, or access the server that initiates and routes Web-based calls, an Atlanta-based security firm said.

According to alerts posted online by Internet Security Systems' (ISS) X-Force research team, Cisco's CallManager sports a pair of bugs that could be "reliably exploited" by hackers. The potential result: at best a denial-of-service style crash, at worst, a situation where the attacker could redirect calls at will or even eavesdrop on conversations.

By sending specially-crafted packets to Cisco CallManager, an attacker could create a heap overflow and crash the system or gain access. ISS said that an exploit wouldn't need any help from a user, pushing the threat into a more dangerous category.

"Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases, and servers," said Chris Rouland, ISS' chief technology officer, in a statement.

Cisco's own advisory includes details on patched editions of CallManager that are ready to download and install. Users without a current service contract with Cisco, however, must telephone the San Jose, Ca.-based networking company's support line to request the upgrades.


Log in or Register to post comments