Flaw Identified in Cisco Unified Communications Manager
Cisco, the networking giant, informed about a defect in Cisco-owned Unified Communications Manager software, which enables a distant, illegitimate user to either create service denial provision or install arbitrary code,
Cisco in a security consultative informed that its CallManager, now Unified Communications Manager (CUCM), is susceptible to heap spill over in Certificate Trust List (CTL) supplier service, as reported by ZDNet.co.uk on 17 January, 2008.
The purpose of CTL used by Cisco Unified IP Phone devices is to authenticate the individuality of CUCM users. Interface of CTL with TCP port 2244 is the defenseless point in relation to susceptibility to heap overflow. The clients of CTL Provider service can listen to interaction between CTL and TCP port 2244 by default. Further, users can also modify this port.
Cisco is working on possibilities of rectifying this defect. One easy remedy could be disabling the CTL supplier when it is not required. Moreover, risk can be lessened by sifting the traffic to screening devices. For unrevealing susceptibility of system, Cisco praises TippingPoint, which discovered the flaw.
Cisco's security advisory informed that the company products are provided to consumers through already existing third party agreements with various support organizations. Cisco partners, service providers, or authorized resellers are supposed to contact these support companies in case of help and support. The support companies would be able to provide them with proper course of action.
The efficiency of a solution depends on explicit consumer circumstances, like traffic performance, product mix, network topology, and company's strategic goals.
The security advisory further said that consumers who buy from vendors and are unable to obtain fixed software from the vendor and the consumers who acquired straight from Cisco but don't have Cisco service contract, shall contact Cisco Technical Assistance Center (TAC) to procure the updates.
Cisco has come up with cost free software updates which deal with susceptibilities. But consumers should check for compatibility features and known problems particular to the environment before installing the software. The security flaw is in Cisco Unified CallManager versions 3.3, 4.0, 4.1 and 5.0 and Cisco UCM versions 4.2, 4.3, 5.1 and 6.0.
Related article: Flaw For PayPal Website, Opportunity For Fraudsters
» SPAMfighter News - 25-01-2008