Cisco fixes critical flaw in call processing software

Cisco Systems Inc. Wednesday patched a critical vulnerability that it ranked as a perfect "10" on the security industry's standard bug scoring system.

The flaw in Cisco's Unified Communications Manager, formerly dubbed CallManager, could be used by attackers to slip malicious code into any PC running the software, the company said in an advisory posted Wednesday to its Web site.

It also pinned the bug with a 10 on the Common Vulnerability Scoring System, which maxes out at 10.

Symantec Corp. warned users of its DeepSight threat service of the flaw, and urged them to patch it as soon as possible. "Specially crafted requests can cause a logic flow that leads to a buffer overflow and can corrupt process data, such as heap-memory management structures or important pointers that are stored in adjacent memory," Symantec noted.

It also hinted that Cisco's advisory might fuel the creation of an exploit, which currently doesn't exist or hasn't been detected. "Detailed technical information is available for this flaw, which might expedite the development of a working exploit."

Cisco has updated the call manager software, posted links to the downloads in the advisory and provided instructions on how to disable the flawed service in lieu of patching. Network administrators should also block access to TCP Port 2444 at the perimeter, said Cisco.

TippingPoint, part of 3Com Corp., was credited with reporting the flaw to Cisco seven months ago.

According to Danish vulnerability tracker Secunia ASA, the Cisco call manager was patched four times last year, but one bug disclosed in March 2007 remains unpatched and another from May was only partially fixed.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]