Cisco Patches IOS Software, UC Manager Bugs

By Ken Presti
September 27, 2012 1:09 PM ET

In its semiannual security advisory, Cisco Systems has released a series of nine security patches aimed mostly at its IOS operating system software, although one of the advisories is designed to close the vulnerability in the San Jose, Calif.-based networking company's Unified Communications Manager (UCM).

The vast majority of the bug fixes are designed to close exploits through which denial of service attacks could be launched.

According to the company, the Session Initiation Protocol (SIP) implementation in its IOS Software and its IOS XE Software has a bug that could enable a remote attacker to cause a device to reload, assuming that the devices are configured to process SIP messages and for pass-through of Session Description Protocol (SDP).

"This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message," the advisory reports. "Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. SDP pass-through must be enabled, either at the global level, or at the dial-peer level, for a device to be affected by this vulnerability."

The UCM bug fix is intended to close an issue with its Session Initiation Protocol (SIP) implementation that could enable an attacker to take down voice services. Similar to the IOS vulnerability, the devices must be configured to support SIP messages for this attack to work.

Unified Communications Manager is the call-processing component of the vendor's IP Telephony products, providing various enterprise telephony features and functions to VoIP systems. SIP is used to manage voice and video calls across IP networks, including call setup and termination. The vulnerability that is being closed by the corresponding patch could cause the system to fail due to a malicious SIP message that contains a valid Session Description Protocol (SDP) message in cases where the traffic is legitimately addressed for the device.

Cisco has released free software updates that address all of the targeted vulnerabilities.

Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

PUBLISHED SEPT. 27, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows