Cisco Issues Security Alerts for its Unified Communications Products

Cisco has issued two security alerts relating to flaws in its unified communications products which could enable hackers to launch denial of service attacks or hack into company telephony systems and retrieve sensitive information, among other annoyances.

According to published reports, one of the alerts concerns a flaw in certain Cisco Unified IP Phone models running its Skinny Call Control Protocol (SCCP) and/or Session Initiation Protocol (SIP). The other alert relates to a vulnerability which might enable a hacker to launch an SQL Injection attack affecting Cisco's Unified Communications Manager software.

Numerous models of Cisco’s SCCP- and SIP-based phones contain a buffer overflow vulnerability in the handling of DNS responses. The company said a hacker launching a specially-crafted DNS response might be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. The company has already patched the vulnerability in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0), but certain other versions are still vulnerable.

As per a report appearing Wednesday on Network World, there are, in fact, “three vulnerablities that affect certain SCCP devices: a large Internet Control Message Protocol (ICMP) Echo Request DOS, which can cause a vulnerable device to reboot by sending a large ICMP echo request packet; an HTTP Server DOS problem that could cause certain phones to reboot by sending a specially crafted HTTP request to TCP port 80; and a Secure Shell (SSH) flaw in other Cisco phones that could cause the phones to reboot if an unauthenticated attacker sent a specially crafted packet to port 22.” The company is reportedly working to fix all vulnerabilities. Cisco has also reportedly identified three vulnerabilities affecting its SIP devices, including a SIP Multipurpose Internet Mail Extensions (MIME) boundary overflow, a Telnet Server overflow, and a SIP Proxy Response overflow.”

This makes three UC-related alerts that Cisco has had to make so far this year. In January the company sent out an alert warning that its Unified Communications Manager contains a “heap overflow” vulnerability in the Certificate Trust List that could allow a hacker to cause a denial-of-service attack or execute arbitrary code.

Cisco has reportedly released free software updates to address the aforementioned vulnerability in Unified Communications Manager, which could open it up to an SQL injection attack in the parameter key of the admin and user interface pages. Such an attack could give a hacker access to usernames and password hashes that are stored in the database.