According to the San Jose, Calif.-based networking giant, IOS release trains 12.1YD, 12.2T, 12.3 and 12.3T may contain a vulnerability when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST). The problem is in how certain malformed control protocol messages are processed, the company said, adding, "A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a denial of service."
Cisco has made free software upgrades available "to address this vulnerability for all affected customers."
Dan Jackson, president and COO of Dallas-based security firm DeepNines Technologies, warned in a statement that this flaw could signal a greater threat to routers going forward. "From a security standpoint, 2005 is the year that the router becomes the Achilles heel of the network," he said. "Where there's smoke, there's fire -- meaning these won't be the last router vulnerabilities we hear about this year."
He added: "Cisco's greatest asset, its large market share, could become one of its most glaring weaknesses. Just as Microsoft's market share makes it a target for attackers, so, too, Cisco could begin to suffer attacks more regularly. The real problem is that there has been virtually no protection for routers…"
That assessment is in contrast to that of Danish security firm Secunia, which labels the IOS problem "less critical" in its advisory.