Ryan Russell wrote: > > On Thu, 14 Jun 2001, Young, Brandon wrote: > > > > A couple of colleagues and I are working on a security audit for a > > VOIP system. Anyone know of any exploits and vulnerabilities that may > > exist with Cisco's call manager? > > The last time I spoke with Cisco about this, the call manager was > basically an embedded NT box. They would ship you an image, and you > weren't supposed to modify it yourself. You can take this to mean that > any NT exploits won't be patched in a timely manner. It's been a year or > two, so this may have changed. The image is Windows 2000 running IIS 5 and SQL Server 7 (I think). The last image that I looked at was at least 1 year out of date with regard to hotfixes and Cisco's stance as of a couple of weeks ago was still not to modify it. The Unicode vulnerabilities all run quite well on the box thanks to this stance and the lack of timely patches from Cisco. The IIS server has both a user and administrator interface that requires authentication which since the server isn't configured for HTTPS can be sniffed, etc., etc. -- Desmond Irvine Security Analyst, Information Technology Sheridan College Phone: 905-845-9430 x2035 1430 Trafalgar Road Fax: 905-815-4011 Oakville, ON L6H 2L1 EMail: desmond.irvineat_private
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 16:57:59 PDT