Cisco security flaw could lead to DoS
Posted by Sleeper on 03 April 2002 - 08:01 · 3 comments & 365 views
About the Author
Full name: Unknown
Forum name:
Sleeper
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
SleeperContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
Cisco has released a patch for this vulnerability.
The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.
The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.
Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.
More information about the vulnerability is available in Cisco's advisory, posted online at http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml
Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.
Work-arounds for the vulnerability include disabling all "active" content in Internet Explorer (which is used by parts of Outlook) and fully deleting the spreadsheet component of Office XP. Guninski also wrote that "the solution is to get a real mail client and office applications."
In a statement e-mailed to the IDG News Service, Microsoft said that it is investigating the matter, but also acknowledged the accuracy of the first vulnerability.
As a work-around for that flaw, Microsoft recommends disabling HTML (Hypertext Markup Language) e-mail and not selecting Microsoft Word as the e-mail editor.
As for the second vulnerability, Microsoft said it does "not as yet have a work-around for the second issue, but note that even in the worst case it could only be used to create files -- not to execute them or take any other action on the user's computer."
"We are concerned that this report has gone public before we've had a fair chance to investigate it," Microsoft said in the statement. "Its publication may put our customers at risk or at the very least cause customers needless confusion and apprehension. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."