The French Security Incident Response Team today
rated the flaws "critical." They affect the Cisco Unified Communications Manager, formerly known as CallManager, which processes VoIP calls.
Both conditions permit DoS attacks or remote code execution. Tom Cross, a researcher on the IBM-ISS X-Force team that discovered the flaws, said they allow an attacker to do a number of things, including accessing voicemail or hijacking calls to route them to another number or listening device. There have been no public exploits.
"These are some of the most significant vulnerabilities we have seen in a voice over IP system," Cross told SCMagazine.com, "both because of the nature of the device being attacked and the amount of privilege an attacker gets as a result of exploiting them."
The first vulnerability is an error in the certificate trust list provider that could allow a heap-based buffer overflow. The second bug is an error in the real-time information server data collector component that can also result in a heap-based overflow. The trust list provider distributes lists for authenticating components in a VoIP network, while the server data collector service monitors devices.
Cisco recommends users upgrade to the latest versions to correct the vulnerabilities, according to a company advisory.
Cross said he worries some organizations may not have "processes and disciplines" in place for patching VoIP systems.
"It's a phone system, not something the computer and networking guys are always dealing with," he said.
Rohit Dhamankar, senior manager of security research at TippingPoint, told SCMagazine.com that VoIP is an emerging threat that companies must monitor. Businesses running VoIP should scan their systems to ensure no unnecessary ports are being opened, he said.