Cisco Patches IOS Flaw

By Ryan Naraine  |  Posted 2005-01-25 Print this article Print

Malicious hackers could launch denial-of-service attacks on VOIP devices.

Switching and routing firm Cisco Systems Inc. has issued a fix for a denial-of-service vulnerability affecting versions of its flagship IOS (Internetwork Operating System) software.

A security advisory from the San Jose, Calif.-based company said the flaw affects all Cisco devices that are configured for Cisco ITS (IOS Telephony Service), Cisco CME (CallManager Express) or SRST (Survivable Remote Site Telephony) services.

ITS, CME and SRST are features that allow a Cisco device running IOS to control IP phones using the Skinny Call Control Protocol. The company warned that a malicious hacker could send certain malformed packets to the SCCP port on an IOS device configured for ITS, CME or SRST, which may cause the target device to reload.

The attack scenario could be done repeatedly to create a denial-of-service attack against telephony devices, company officials said.

The vulnerability, which was detected and reported by researchers at SecureTest, exists because of an error within the processing of control protocol messages. It affects the 12.1YD, 12.2T, 12.3, and 12.3T release trains. Dan Jackson, president and chief operating officer of DeepNines Technologies, said the Cisco flaw is further proof that routers could present a bigger target for malicious hackers.

"From a security standpoint, 2005 is the year that the router becomes the Achilles heel of the network," Jackson said in a statement. "Where theres smoke, theres fire—meaning these wont be the last router vulnerabilities we hear about this year."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel