RealTime IT News

Cisco Warns of Voice Product Security Flaws

Cisco on Thursday warned of a default installation vulnerability in multiple voice products running on the IBM platform that leaves TCP and UDP ports open to malicious attack.

San Jose, Calif.'s Cisco, which has made an aggressive push into the IP telephony market, said the security flaw could be exploited to cause denial-of-service attacks and administrative takeover.

Security research firm Secunia rates the flaw as 'moderately critical' and has urged admins running the vulnerable products to apply Cisco's repair script.

According to the Cisco advisory, the vulnerable voice products running on IBM servers install the Director Agent insecurely by leaving the service on port 14247 (both TCP and UDP) accessible without requiring user authentication.

In addition to leaving the products susceptible to administrative takeover, a malicious attacker could make the IBM Director Agent process consume a server's entire CPU resources by scanning it with a network scanner.

Affected voice products include the Cisco CallManager; Cisco IP Interactive Voice Response (IP IVR); Cisco IP Call Center Express (IPCC Express); Cisco Personal Assistant (PA); Cisco Emergency Responder (CER); Cisco Conference Connection (CCC) and the Cisco Internet Service Node (ISN).

Affected IBM-based server model numbers include the IBM X330 (8654 or 8674); IBM X340; IBM X342; IBM X345; MCS-7815-1000; MCS-7815I-2.0; MCS-7835I-2.4 and MCS-7835I-3.0.

The latest security bug comes on the heels of Cisco's confirmation earlier this month that some of its VoIP products were affected by a flaw in the H.323 networking protocol for transmitting audio-visual data.

It also underscores the risks that come with the growing dependence on IP-based networks, especially in the enterprise. A recent report by Gartner analyst David Fraley made it clear Internet Protocol telephony was less secure than traditional circuit-switched networks and warned that increased convergence of voice and data increases the possibility of cyberwarfare.

"The increasing use of VoIP and convergence networks for critical infrastructure control and maintenance makes the attacks increasingly viable. The ultimate goal of any security system is to ensure that security measures are proportional to the threat," Fraley wrote in a report titled "Cyberwarfare: VoIP and convergence increase vulnerability."

Warning that the risk will likely increase during the next few years, Fraley said enterprises migrating to VoIP networks should develop business continuity and restoration plans to minimize prolonged outages. He also recommended that detailed lists be made of how long critical infrastructure elements can go without communications.