Cisco Patches IOS Software, UC Manager Bugs


In its semiannual security advisory, Cisco Systems has released a series of nine security patches aimed mostly at its IOS operating system software, although one of the advisories is designed to close the vulnerability in the San Jose, Calif.-based networking company's Unified Communications Manager (UCM).

The vast majority of the bug fixes are designed to close exploits through which denial of service attacks could be launched.

According to the company, the Session Initiation Protocol (SIP) implementation in its IOS Software and its IOS XE Software has a bug that could enable a remote attacker to cause a device to reload, assuming that the devices are configured to process SIP messages and for pass-through of Session Description Protocol (SDP).

[Related: 7 Deadly Sins of Information Security]

"This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message," the advisory reports. "Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. SDP pass-through must be enabled, either at the global level, or at the dial-peer level, for a device to be affected by this vulnerability."

The UCM bug fix is intended to close an issue with its Session Initiation Protocol (SIP) implementation that could enable an attacker to take down voice services. Similar to the IOS vulnerability, the devices must be configured to support SIP messages for this attack to work.

Unified Communications Manager is the call-processing component of the vendor's IP Telephony products, providing various enterprise telephony features and functions to VoIP systems. SIP is used to manage voice and video calls across IP networks, including call setup and termination. The vulnerability that is being closed by the corresponding patch could cause the system to fail due to a malicious SIP message that contains a valid Session Description Protocol (SDP) message in cases where the traffic is legitimately addressed for the device.

Cisco has released free software updates that address all of the targeted vulnerabilities.

Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

PUBLISHED SEPT. 27, 2012