FEATURED VIDEO

Sponsored By:


SLIDE SHOWS
Check out these hot products that keep workers connected, wherever they are.
Solution providers and vendors met up at this year's XChange Government Integrator '08 conference in Washington, D.C. this year to honor the companies that prove that they understand the IT requirements of the public sector.
ChannelWeb picked 15 common beliefs about Microsoft and gave channel partners the opportunity to explain why they're more fiction than fact.
INSIDE CHANNELWEB
techcareers logo Search Jobs:


  

Post Resume|Employers

Recent Post:


Sr Staff Test Engineer
Broadcom seeking Sr Staff Test Engineer in Santa Clara, CA
spacer

Cisco IP Phones Open To Attack


By Stefanie Hoffman, ChannelWeb
8:00 PM EST Thu. Feb. 14, 2008
Time to update your Cisco IP phones. Cisco Systems released multiple security advisories regarding serious vulnerabilities in its IP phones and the Unified Communications Manager -- several of which have the potential to give remote attackers the ability to execute arbitrary code.

In particular, the issues affect phones using Skinny (SCCP) and SIP. Four of the advisories warned that the buffer and heap overflows detected in the IP phones could leave users susceptible to remote exploitation. An attacker could then execute a denial of service attack or take control of an entire affected system.

Lesser errors carry the potential of exposing the IP phones to a denial of service attack, enable privilege escalation or cause vulnerable phones to reboot and interrupt client voice services.

The Cisco UCM, the call processing component of San Jose, Calif.-based Cisco's IP telephony solution, also contains a serious flaw, detected in the key parameter of the Web interface by using the http or https protocol. The error leaves vulnerable systems open to an injection attack, which could terminate an SQL call and force a connection to the back-end database. An authenticated attacker could then access sensitive information, such as usernames and password hashes stored in the database. However the error would not enable an attacker to alter or delete information.

The company has already released free software updates addressing the error. A Cisco spokesperson said that the company planned to notify users as the updated software becomes available.

Security experts recommend that users update their IP phones with the patches that are available. Workarounds are also available for several of the vulnerabilities. Experts advise that users disable almost all ways to remotely manage the device, such as internal Telnet and HTTP servers and/or the filter remote access, which will eliminate exposure to the overflow and server DoS vulnerabilities.

Cisco researchers said that so far no malicious exploits have been detected for any of the vulnerabilities.


RATE THIS ARTICLE Worse 1 2 3 4 5 Better
CHANNELWEB MARKETSPACE >> (Sponsored Links)
RELATED BLOG >>
Photo
A security warning posted yesterday on Debian's security list warned of a critical vulnerability in the way SSH keys are generated, impacting Debian and Debian-based machines, including Ubuntu and its variants.
ADVERTISEMENT




CHANNEL SERVICES >>