Cisco warns of UCM flaws

By SearchSecurity.com Staff 25 Jun 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Cisco Systems issued an advisory on Wednesday warning customers about vulnerabilities in its Unified Communications Manager that could interrupt voice services and disclose information useful to an attacker.

Cisco released software updates to fix the flaws in CUCM, which is the call processing component of the Cisco IP Telephony system, and was formerly called Cisco CallManager.

The Computer Telephony Integration (CTI) Manager service of CUCM versions 5.x and 6.x contains a flaw that could result in a DoS when handling malformed input, according to the Cisco advisory.

The other vulnerability affects the Real-Time Information Server (RIS) Data Collector service of CUCM versions 4.x, 5.x and 6.x. The flaw, an authentication bypass vulnerability, could lead to unauthorized disclosure of CUCM cluster information, including user names and configured IP phones, which an intruder could use to mount further attacks, Cisco said. No passwords can be obtained by exploiting the flaw.

Cisco said it was unaware of any malicious exploitation of the flaws.

Products affected by the vulnerabilities are: Cisco Unified CallManager 4.1; CUCM 4.2 versions prior to 4.2(3) SR4; 4.3 versions prior to 4.3(2)SR1; 5.x versions prior to 5.1(3c); and 6.x versions prior to 6.1(2).

Tags: Network Device Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Device Management DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary