15 May 2008, 08:57

Denial of service holes in Cisco products

Network appliance vendor Cisco has reported several vulnerabilities in its Unified Presence and Unified Communications Manager products which can be exploited for denial of service attacks. The Content Switching Module also contains such a vulnerability.

The Content Switching Module (CSM) is an accelerator for Catalyst series 6500 and 7600 devices. When it is configured for layer 7 load balancing this allows TCP packets containing certain unspecified flags to trigger memory leaks. As a consequence, the system is paralysed if the CSM is unable to make balancing decisions because the servers behind it are overloaded. The flaw has been fixed in software version 4.2.9 for the CSM.

The Presence Engine service of Cisco's Unified Presence product contains two denial of service vulnerabilities which can be triggered using specially crafted IP packets. There is no workaround, and updating to version 6.0(1) of the software is the only solution.

Cisco also report several DoS holes in its Unified Communications Manager. The Certificate Trust List Provider (CTL), which is active by default and listens to incoming traffic on TCP port 2444, uses a large amount of memory when it receives specially crafted TCP packets. The Certificate Authority Proxy listens on TCP port 3804 and trips over specially crafted requests; however, this service is not active by default. In addition, specially crafted SIP messages including SIP JOIN and SIP INVITE can trigger a DoS. Manipulated UDP packets addressed for the SNMP Trap Agent listening on UDP port 61441 can also result in a denial of service condition.

Administrators can find suggestions about how to make their devices secure without software updates in Cisco's security advisories. In addition, Cisco has made software updates available for registered users. Administrators are advised to download and install the updates at their earliest convenience.

See also: