Cisco patches holes in IP telephony software
Cisco has reported several vulnerabilities with its IP telephony products which could result in functionality failures. The components affected are Cisco Unified CallManager (CUCM), and Cisco Unified Presence Server (CUPS). Skinny Call Control Protocol (SCCP) processing services may be crashed by sending a series of specially-crafted packets; Secure SCCP (SCCPS) is also affected by this problem. The bug can be found in CUCM 3.x, 4.x, and 5.0; CUPS is not affected. However, both CUCM and CUPS systems can be caused to fail by a large number of PING packets. Only CUCM version 5.0 and CUPS 1.0 appear vulnerable.
In addition, a bug in IPSec Manager causes the service to crash when a specific UDP packet is sent to port 8500. This will impact call forwarding, but according to Cisco doesn't affect normal telephone operation. CUCM 5.0 and CUPS 1.0 are vulnerable. Updates have been made available for all these vulnerabilities. There is no workaround solution although it may help to filter system accesses.
- Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities, Cisco security advisory
(ehe)