Cisco is warning of vulnerabilities in several voice products that could allow a remote attacker to obtain unauthorized administrative control or cause a denial of service.
The default installation of Cisco's Director Agent on IBM servers leaves the Director's services in an insecure state. In particular, Director Agent listens on TCP or UDP port 14247 in such a way that a remote attacker can connect and gain administrative level control without authentication. This level of privilege allows an attacker to shut down, power off or restart the system; execute a command shell; initiate file transfers; stop or start processes, services or device drivers; modify the network configuration; and create Windows 2000 user accounts.
In addition, by scanning port 14247, an attacker can initiate a Director Agent process that will take up 100% of the CPU. This will cause a denial of service, unless the server is shut down.
The Director Agent is part of several Cisco voice products, including CallManager, IP Interactive Voice Response, IP Call Center Express, Personal Assistant, Emergency Responder and Conference Connection. The problem occurs on a variety of IBM-based servers running any version of the operating system before OS 2000.2.6.
Cisco is providing a repair script that will mitigate the vulnerabilities without needing a software upgrade. The repair script keeps the Director Agent from listening for remote connections on TCP or UDP ports 14247. If port 14247 is enabled, the Director Agent won't automatically accept connections. The script also disables certain access and control files not required for Director Server to function.