CISCO SYSTEMS ISSUED an advisory late last week saying that its CallManager call-processing application has a security flaw in it that could leave the product open to a denial of service (DoS) attack.
Cisco has released a patch for this vulnerability.
The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.
The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.
Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.
More information about the vulnerability is available in Cisco's advisory, posted online at http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml
Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.
News source: InfoWorld.com
View: The Full Story
Cisco has released a patch for this vulnerability.
The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.
The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.
Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.
More information about the vulnerability is available in Cisco's advisory, posted online at http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml
Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.
News source: InfoWorld.com View: The Full Story
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.