Cisco's Call Manager Vulnerable To Attacks
In a report issued last week, Jake Reynolds, senior security engineer at Kansas City, Mo.-based FishNet, said the vulnerability affects versions 3.1 and higher of Call Manager, which handles call routing and call signaling functions in Cisco VoIP systems. A lack of input validation and output encoding in the Web administration interface for Call Manager could allow hackers to execute cross-site scripting attacks, Reynolds wrote.
Cross-site scripting attacks, which usually involve tricking users with access privileges into clicking on a URL in an e-mail or Web page, can be serious because they exploit an inherent weakness in the security of Web browsers, Reynolds said. "Web browsers tend to allow wildly strange ways of executing JavaScript, and that's the crux of cross-site scripting," Reynolds said.
In the Call Manager scenario, attackers would send a request to the Call Manager Web interface that causes malicious JavaScript to be included. If the administrator could be deceived into submitting this tainted request, the malicious code would execute in the victim's Web browser and potentially give attackers the ability to delete or reconfigure system components and gain access to confidential user information, according to the report.
In a statement, Cisco's Product Security Incident Response Team acknowledged the flaw and recommended that users verify link destinations before clicking on URLs as a measure of protection.
Although there are no workarounds for the issue, Cisco, San Jose, Calif., has fixed the vulnerability and fixes will be incorporated in all supported Call Manager trains—software releases with features targeted at distinct markets or customer groups—in versions 4.3(1), 4.2(3), 4.1(3)SR4 and 3.3(5)SR3, according to the statement.
FishNet recommends that companies limit network connectivity to Call Manager wherever possible to prevent hackers from discovering public Web interfaces to exploit.