[ISN] Cisco product flaws affect VoIP gear, routers

From: InfoSec News (isn@private)
Date: Thu Jan 19 2006 - 22:14:43 PST


By Phil Hochmuth

A triad of Cisco product vulnerabilities could cause problems for
users of the company's IP PBXs and certain routers, Cisco warned this

One vulnerability affecting Cisco CallManagers could leave the IP PBX
servers open to denial-of-service attacks, potentially shutting down
phone service inside an organization using Cisco CallManagers.

Cisco says the DoS vulnerability exists because CallManager servers do
not time out TCP connections on certain ports fast enough. This could
cause overuse of CPU and memory resources on the server and lead to a
crash or reboot and IP phones not responding with dial tone, the
company says.

Vulnerable versions of CallManager are 3.2, 3.3, 4.0 and 4.1. Theses
versions "do not manage TCP connections and Windows messages
aggressively," says a Cisco bulletin warning of the vulnerabilities.

Since such an attack would require network access to CallManagers,
which are typically deployed behind a firewall, an external DoS attack
on the IP PBX is less likely.

Another vulnerability warning sent to customers this week involves the
Multi Level Administrator service on CallManager servers.  
Administrative users without read-write administrator-level access to
the CallManager could bump up their privileges by sending a "crafted
URL" to the CallManager administrator Web page on the server. This
vulnerability affects the same CallManager versions as the DoS issue,
Cisco says.

Software fixes for both CallManager vulnerabilities are available.

The third bulletin from Cisco this week warns of a problem in the
vendor's IOS router software that could result in a remotely executed
DoS attack on Cisco gear. The problem is with the Cisco IOS Stack
Group Bidding Protocol (SGBP), which is used on routers that aggregate
multiple Point-to-Point Protocol (PPP) connections. When aggregating
multiple PPP links, known as Multilink PPP, the SGBP is used by
devices connected via Multilink PPP to identify each other.

Cisco says that if a specially crafted UDP packet is sent to port 9900
on an affected router (i.e., a device running Multilink PPP and SGBP)  
the device could freeze. Cisco has issued a software fix for the

Short of upgrading IOS software, users can also set up an access
control list to block untrusted access to a router via SGBP, Cisco

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Thu Jan 19 2006 - 22:47:05 PST