Cisco is advising users of its IP telephony to update their software following the discovery of a flaw that might allow hackers to mount denial of service attacks.
The vulnerability affects versions of Cisco's core Internetwork Operating System (IOS) software configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) services. By sending malformed control messages a cracker could cause devices such as VoIP routers running the vulnerable software to reload. The trick could be exploited repeatedly to create a Denial of Service (DoS) attack against targeted networks.
Cisco has updated affected versions of its software (12.1YD, 12.2T, 12.3 and 12.3T) to block the exploit. Links to these free software upgrades, along with advice on suggested workarounds, can be found in Cisco's advisory. Cisco said it isn't aware of reports of malicious exploitation of the vulnerability.
The vulnerability was originally reported to Cisco by penetration testing firm SecureTest, whose previous research on IP telephony vulnerabilities has been hotly disputed by the networking vendor. ®