Cisco Issues Patch To Fix IP Telephony Security Issue

A week after Cisco posted a notice on its Web site warning users that routers connected to its IP telephony gear could be vulnerable to denial of dervice (DoS) attacks, the company has issued a patch to solve a DoS vulnerability that could be exploited to crash a company’s phone network.

Cisco Internetwork Operating System (IOS) software is vulnerable to a DoS attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic, according to the company. This vulnerability requires multiple crafted packets to be sent to the device, which might result in a reload upon successful exploitation.

In a statement on its Web site, Cisco said a successful exploitation of the flaw “may cause a reload of the device, which could be exploited repeatedly to produce a denial of service (DoS) attack.” In addition to the patch, Cisco said there are also workarounds available to reduce the risk of the problem.

VoIP Impacts?

Chris Byrnes, senior vice president at META Group, told the E-Commerce Times that no operating system is perfect. There have been serious flaws in the past and there will be flaws in the future, he said.

“We’ve had a lot of reports of flaws in network equipment that could enable denial of service attacks, but we’ve had realistically no denial of service attacks that have broadly impacted the Internet,” Byrnes said. “They have always been very closely targeted and generally very short-term.”

Byrnes doesn’t think companies need to be overly concerned about the possibility of corporate communications systems crashing.

“Generally speaking, VoIP [Voice over Internet Protocol] travels inside a corporate boundary,” Byrnes said. “If a carrier is using this equipment, then in theory there could be a minor impact, but while you might have a hiccup in voice transmissions, the Internet should relatively cleanly route around the problem in almost real-time.”

Vulnerable Products

Only the Cisco devices running IOS and configured for IPv6 are affected. A router will display all IPv6 enabled interfaces with the “show ipv6 interface” command, the company said.

An empty output or an error message will be displayed if IPv6 is disabled or unsupported on the system. In this case, the system is not vulnerable, according to Cisco.

A router that has IPv6 enabled on a physical or logical interface is vulnerable to this issue even if ipv6 unicast-routing is globally disabled. The “show ipv6 interface” command can be used to determine whether IPv6 is enabled on any interface.

Products that are not running Cisco IOS are not affected, and productsrunning any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable, the company said.