CISCO SYSTEMS ISSUED an advisory late last week saying that its CallManager call-processing application has a security flaw in it that could leave the product open to a denial of service (DoS) attack.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
Cisco has released a patch for this vulnerability.

The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.

The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.

Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.

More information about the vulnerability is available in Cisco's advisory, posted online at http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml.

Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.