Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2006
12:16 PM
50%
50%

Paint Another Target On Cisco As Enterprise VoIP Grows

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP att

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP attacks as the technology grows into the mainstream.Cisco CallManager versions with multilevel administration enabled may be vulnerable to privilege escalations, which may result in read-only users gaining administrative access to create, delete, or reset devices. The user-privilege problem, which was discovered by Switzerland's Cnlab AG, affects only CallManager systems that have multilevel administration enabled. CallManager's DOS vulnerability makes some of the company's IP telephony systems susceptible to attacks that interrupt service because of an inability to manage TCP network connections and Windows messages properly and could lead to phones not responding, phones unregistering from the Cisco CallManager, or Cisco CallManager restarting.

CallManager's vulnerability to denial-of-service attacks as well as hacks that would let users increase their system access privileges don't constitute a worst-case scenario. But when you consider Infonetics Research's prediction that spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009, it quickly becomes obvious that even minor security lapses could have a widespread impact on a company's ability to keep the phones up during a major network attack.

Cisco CallManager extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Both the DOS and privilege-escalation vulnerabilities, whose patches are available, affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0, and 4.1.

Cisco's influence in the IP telephony market will only grow. A market share report issued Thursday by Synergy Research Group indicates that Cisco's IP telephony technology over the past year owned about 18% of the office telephone system market with more than 30,000 customers and 7 million phones sold over the six years Cisco has been in the market. This means Cisco's chances to avoid being a major target for security attacks is about as effective as an elephant successfully hiding behind a lamppost.

My colleague Nick Hoover and I set out to understand the implications of Cisco's growing dominance in the IP telephony market, and you can in the January 23 issue read what we discovered.

One source that didn't make it into Monday's story told me that people think that because they've implemented security on their IP network that voice-over-IP is taken care of. Think again, says Frank Dzubeck, president of Communications Network Architects Inc., an industry analysis firm in Washington, D.C. "Security in IT is not enough," he says. "You're going to have to consider security on the protocols that you use in the VoIP environment." Companies must also consider implementing network tunneling and data encryption to protect their VoIP communications.

Nick learned that, despite a lack of widespread attacks, security researchers have seen heavy scrutiny from hackers trying to probe endpoints -- phones and PC-based softphones -- for vulnerabilities. And there's also the possibility that hackers will trick phone users into handing over personal information, not unlike the goal of phishing. But that's not to exaggerate the risk. Symantec's Dave Cole calls the threat of VoIP attacks real, but warns that it shouldn't be overblown. There are many benefits. "Is there a dramatic amount of risk over people using normal phones?" says Cole, director of the company's Security Response program. "I don't think it is."

Sounds like a split decision for now, but keep in mind that any technology that becomes widely deployed also becomes a bigger target to the hacker community. Any plans for VoIP implementation should include a plan for managing worst-case-scenario security issues.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...