Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2006
12:16 PM
50%
50%

Paint Another Target On Cisco As Enterprise VoIP Grows

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP att

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP attacks as the technology grows into the mainstream.Cisco CallManager versions with multilevel administration enabled may be vulnerable to privilege escalations, which may result in read-only users gaining administrative access to create, delete, or reset devices. The user-privilege problem, which was discovered by Switzerland's Cnlab AG, affects only CallManager systems that have multilevel administration enabled. CallManager's DOS vulnerability makes some of the company's IP telephony systems susceptible to attacks that interrupt service because of an inability to manage TCP network connections and Windows messages properly and could lead to phones not responding, phones unregistering from the Cisco CallManager, or Cisco CallManager restarting.

CallManager's vulnerability to denial-of-service attacks as well as hacks that would let users increase their system access privileges don't constitute a worst-case scenario. But when you consider Infonetics Research's prediction that spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009, it quickly becomes obvious that even minor security lapses could have a widespread impact on a company's ability to keep the phones up during a major network attack.

Cisco CallManager extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Both the DOS and privilege-escalation vulnerabilities, whose patches are available, affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0, and 4.1.

Cisco's influence in the IP telephony market will only grow. A market share report issued Thursday by Synergy Research Group indicates that Cisco's IP telephony technology over the past year owned about 18% of the office telephone system market with more than 30,000 customers and 7 million phones sold over the six years Cisco has been in the market. This means Cisco's chances to avoid being a major target for security attacks is about as effective as an elephant successfully hiding behind a lamppost.

My colleague Nick Hoover and I set out to understand the implications of Cisco's growing dominance in the IP telephony market, and you can in the January 23 issue read what we discovered.

One source that didn't make it into Monday's story told me that people think that because they've implemented security on their IP network that voice-over-IP is taken care of. Think again, says Frank Dzubeck, president of Communications Network Architects Inc., an industry analysis firm in Washington, D.C. "Security in IT is not enough," he says. "You're going to have to consider security on the protocols that you use in the VoIP environment." Companies must also consider implementing network tunneling and data encryption to protect their VoIP communications.

Nick learned that, despite a lack of widespread attacks, security researchers have seen heavy scrutiny from hackers trying to probe endpoints -- phones and PC-based softphones -- for vulnerabilities. And there's also the possibility that hackers will trick phone users into handing over personal information, not unlike the goal of phishing. But that's not to exaggerate the risk. Symantec's Dave Cole calls the threat of VoIP attacks real, but warns that it shouldn't be overblown. There are many benefits. "Is there a dramatic amount of risk over people using normal phones?" says Cole, director of the company's Security Response program. "I don't think it is."

Sounds like a split decision for now, but keep in mind that any technology that becomes widely deployed also becomes a bigger target to the hacker community. Any plans for VoIP implementation should include a plan for managing worst-case-scenario security issues.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.