Cisco Warns Of IOS, Unified Contact Center Bugs

In an advisory issued on Wednesday, Cisco said its Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise and IP Contact Center Hosted products are vulnerable to a glitch in the JTapi Gateway service. An attacker could exploit the flaw to get the JTapi Gateway service to restart, a process that takes several minutes and during which time no new connections can be handled, although existing connections wouldn't be cut off, Cisco said.

Cisco Unified Contact Center Enterprise -- formerly known as Cisco IP Contact Center Enterprise -- provides intelligent routing and call treatment with blending of multiple communication channels and is part of the Cisco Unified Communications system.

Cisco also patched a vulnerability in the Data-link Switching (DLSw) feature in some versions of IOS that could enable attackers to launch DOS attacks, the San Jose, Calif.-based networking vendor said in a Wednesday advisory.

DLSw is used to transmit IBM Systems Network Architecture (SNA) and network basic input/output system (NetBIOS) traffic over an IP network. On devices running vulnerable versions of IOS, attackers could exploit the flaw remotely without needing to be logged in, though they would need to be able to establish a DLSw connection to the device, Cisco said.

Cisco products running IOS versions 11.0 through 12.4 that have the DLSw feature enabled are vulnerable, according to Cisco. The company has fixed the vulnerability for most versions of IOS 12.4 and 12.3, but it indicated in the advisory that fixes for several 12.1 and 12.0 releases won't be ready until March.

Using the 10-point CVSS threat rating system, Cisco issued base scores of 3.3 to both vulnerabilities. However, Symantec Deepsight saw them as more serious, assigning severity ratings of 6.7 out of 10 to the IOS flaw and 5.6 out of 10 to the Unified Contact Center flaw.