Cisco Warns of Voice Product Security Flaws

Cisco on Thursday warned of a default installation
vulnerability in multiple voice products running on the IBM platform that
leaves TCP and UDP ports open to malicious attack.

San Jose, Calif.’s Cisco, which has made an aggressive push into the
IP telephony market, said the security flaw could be exploited to cause
denial-of-service attacks and administrative
takeover.

Security research firm Secunia rates the flaw as ‘moderately critical’
and has urged admins running the vulnerable products to apply Cisco’s repair script.

According to the Cisco advisory, the vulnerable voice products running on IBM servers install the
Director Agent insecurely by leaving the service on port 14247 (both TCP and
UDP) accessible without requiring user authentication.

In addition to leaving the products susceptible to administrative
takeover, a malicious attacker could make the IBM Director Agent process
consume a server’s entire CPU resources by scanning it with a network
scanner.

Affected voice products include the Cisco CallManager; Cisco IP
Interactive Voice Response (IP IVR); Cisco IP Call Center Express (IPCC
Express); Cisco Personal Assistant (PA); Cisco Emergency Responder (CER);
Cisco Conference Connection (CCC) and the Cisco Internet Service Node
(ISN).

Affected IBM-based server model numbers include the IBM X330 (8654 or
8674); IBM X340; IBM X342; IBM X345; MCS-7815-1000; MCS-7815I-2.0;
MCS-7835I-2.4 and MCS-7835I-3.0.

The latest security bug comes on the heels of Cisco’s confirmation earlier this month that some of its VoIP
products were affected by a flaw in the H.323 networking
protocol for transmitting audio-visual data.

It also underscores the risks that come with the growing dependence on
IP-based networks, especially in the enterprise. A recent report by Gartner
analyst David Fraley made it clear Internet Protocol telephony was less
secure than traditional circuit-switched networks and warned that increased
convergence of voice and data increases the possibility of cyberwarfare.

“The increasing use of VoIP and convergence networks for critical
infrastructure control and maintenance makes the attacks increasingly
viable. The ultimate goal of any security system is to ensure that security
measures are proportional to the threat,” Fraley wrote in a report titled
“Cyberwarfare: VoIP and convergence increase vulnerability.”

Warning that the risk will likely increase during the next few years,
Fraley said enterprises migrating to VoIP networks should develop business
continuity and restoration plans to minimize prolonged outages. He also
recommended that detailed lists be made of how long critical infrastructure
elements can go without communications.

News Around the Web