Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2006
12:16 PM
50%
50%

Paint Another Target On Cisco As Enterprise VoIP Grows

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP att

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP attacks as the technology grows into the mainstream.Cisco CallManager versions with multilevel administration enabled may be vulnerable to privilege escalations, which may result in read-only users gaining administrative access to create, delete, or reset devices. The user-privilege problem, which was discovered by Switzerland's Cnlab AG, affects only CallManager systems that have multilevel administration enabled. CallManager's DOS vulnerability makes some of the company's IP telephony systems susceptible to attacks that interrupt service because of an inability to manage TCP network connections and Windows messages properly and could lead to phones not responding, phones unregistering from the Cisco CallManager, or Cisco CallManager restarting.

CallManager's vulnerability to denial-of-service attacks as well as hacks that would let users increase their system access privileges don't constitute a worst-case scenario. But when you consider Infonetics Research's prediction that spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009, it quickly becomes obvious that even minor security lapses could have a widespread impact on a company's ability to keep the phones up during a major network attack.

Cisco CallManager extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Both the DOS and privilege-escalation vulnerabilities, whose patches are available, affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0, and 4.1.

Cisco's influence in the IP telephony market will only grow. A market share report issued Thursday by Synergy Research Group indicates that Cisco's IP telephony technology over the past year owned about 18% of the office telephone system market with more than 30,000 customers and 7 million phones sold over the six years Cisco has been in the market. This means Cisco's chances to avoid being a major target for security attacks is about as effective as an elephant successfully hiding behind a lamppost.

My colleague Nick Hoover and I set out to understand the implications of Cisco's growing dominance in the IP telephony market, and you can in the January 23 issue read what we discovered.

One source that didn't make it into Monday's story told me that people think that because they've implemented security on their IP network that voice-over-IP is taken care of. Think again, says Frank Dzubeck, president of Communications Network Architects Inc., an industry analysis firm in Washington, D.C. "Security in IT is not enough," he says. "You're going to have to consider security on the protocols that you use in the VoIP environment." Companies must also consider implementing network tunneling and data encryption to protect their VoIP communications.

Nick learned that, despite a lack of widespread attacks, security researchers have seen heavy scrutiny from hackers trying to probe endpoints -- phones and PC-based softphones -- for vulnerabilities. And there's also the possibility that hackers will trick phone users into handing over personal information, not unlike the goal of phishing. But that's not to exaggerate the risk. Symantec's Dave Cole calls the threat of VoIP attacks real, but warns that it shouldn't be overblown. There are many benefits. "Is there a dramatic amount of risk over people using normal phones?" says Cole, director of the company's Security Response program. "I don't think it is."

Sounds like a split decision for now, but keep in mind that any technology that becomes widely deployed also becomes a bigger target to the hacker community. Any plans for VoIP implementation should include a plan for managing worst-case-scenario security issues.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12928
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12929
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.