ABOUT THE AUTHOR

Eric Krapf
Eric Krapf is the Program Co-Chair of the Enterprise Connect events, helping to set program content and direction for the...
Read Full Bio >>
SHARE

Eric Krapf | June 26, 2008 |

 
 
share
 

More Cisco, Avaya, Nortel Vulnerabilities Named

More Cisco, Avaya, Nortel Vulnerabilities Named VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.This week's announcement found a total of 45 vulnerabilities--29 with Avaya; 12 with Cisco and 4 with Nortel. VOIPShield gave its most severe rating, "Critical," to

  • An exploit that could expose system configuration information in Avaya's SIP Enablement Service. (VOIPShield reports that Avaya is "attempting to address the issue".)

  • A potential denial of service attack against Cisco's Unified Communications Manager 6.x and against UCM 5.x. (VOIPShield reports that Cisco has made a patch available).

  • A potential denial of service attack against Nortel's CS1000 4.50.x. (VOIPShield reports that Nortel is "attempting to address the issue," noting in its report, "Completely addressing the issue requires a patch from Nortel, which Nortel has indicated is being worked on, but the availability and timing of this patch have not yet been identified.") Nortel's Security Bulletin on the vulnerability states, "To our knowledge, this attack has not been launched against any of our customers."

  • A potential denial of service attack against the Wireless Client Manager (WiCM) SIP proxy in Nortel's MCS5100 3.x. (VOIPShield says Nortel has a "workaround proposed".) The Nortel Security Bulletin on this reported vulnerability states, "Recommended solution is to use a corporate NAT/FW in order to prevent such malicious actions from outside. WiCM is normally configured inside the corp network/firewall." On the other hand, VOIPShield contends that, "To completely address the issue requires a patch from Nortel. In the short term it is recommended that a VoIP-aware IPS [intrusion prevention system] product, such as [VOIPShield's] VoIPguard, with signatures to detect attempts to exploit this issue, be implemented to prevent it from being exploited. In addition, implementation of general best practice guidance such as controlling access to telephony networks via VLANs, access control lists, firewalls, network admission controls and/or other security devices will aid in limiting the exposure of this vulnerability."



    • COMMENTS



    Currently we allow the following HTML tags in comments:

    Single tags

    These tags can be used alone and don't need an ending tag.

    <br> Defines a single line break

    <hr> Defines a horizontal line

    Matching tags

    These require an ending tag - e.g. <i>italic text</i>

    <a> Defines an anchor

    <b> Defines bold text

    <big> Defines big text

    <blockquote> Defines a long quotation

    <caption> Defines a table caption

    <cite> Defines a citation

    <code> Defines computer code text

    <em> Defines emphasized text

    <fieldset> Defines a border around elements in a form

    <h1> This is heading 1

    <h2> This is heading 2

    <h3> This is heading 3

    <h4> This is heading 4

    <h5> This is heading 5

    <h6> This is heading 6

    <i> Defines italic text

    <p> Defines a paragraph

    <pre> Defines preformatted text

    <q> Defines a short quotation

    <samp> Defines sample computer code text

    <small> Defines small text

    <span> Defines a section in a document

    <s> Defines strikethrough text

    <strike> Defines strikethrough text

    <strong> Defines strong text

    <sub> Defines subscripted text

    <sup> Defines superscripted text

    <u> Defines underlined text

    Did you know you can style comments using HTML tags and upload your avatar photo? To upload your avatar photo, first complete your Disqus profile. Once your profile is complete, you may add your avatar photo. (Hide this hint)

    Sign up to the No Jitter email newsletters

    • Catch up with the blogs, features and columns from No Jitter, the online community for the IP communications industry. Each Thursday, we'll send you a synopsis of the high-impact articles, podcasts and other material posted to No Jitter that week, with links for quick access.

    • A quick hit of original analysis by the experts who bring you Enterprise Connect, the leading event in Enterprise Communications & Collaboration. Each Wednesday, this enewsletter delivers to your email box a thought-provoking, objective take on the latest news and trends in the industry.

    Your email address is required for membership. For details about the user information, please read the UBM Privacy Statement

    As an added benefit, would you like to receive relevant 3rd party offers about new products/services and discounted offers via email? Yes

    * = Required Field
    Enterprise Connect Orlando 2012
    Keynote Speakers Announced
    Enterprise Connect is proud to announce the following industry leaders will deliver keynote addresses at Enterprise Connect Orlando:
    --Steven J. Bandrowczak, Vice President & General Manager, Avaya Networking
    --OJ Winge, Senior VP/GM,Video & Collaboration, Cisco
    --Kirk Koenigsbauer, Corporate VP, Office Business Group, Microsoft
    --Alistair Rennie, GM, Lotus Software and Collaboration Solutions, IBM Software Group
    Enterprise Connect Webinars
    Building Cloud Grade Data Center Networks
    Wednesday, Nov. 30, 2 PM EST/11 AM PST

    This presentation reviews best practices and tools for implementing data center clouds, including how to pin-point and resolve problems, and minimize cost while maximizing performance and usability.
    Virtual Enterprise Connect
    Implementing Microsoft Lync in the Enterprise--REGISTER NOW!
    This in-depth Virtual Event will feature detailed presentations by technology experts who can help you plan your Lync-based UC migration and get the most out of all that Lync has to offer..
    Enterprise Connect Orlando 2012
    Orlando Conference Program Announced
    The Enterprise Connect conference program has been published! Our confernce is designed with one over-riding objective: To help you make the best decisions as you migrate your enterprise communications and collaboration.
    Trending Now
    Upcoming Events
    Webinars Virtual Events Live Events
    Mobile Collaboration: Faster, Smarter, Better
    February 15, 2012
    For employees away from the office—whether on the go, at a remote location, or telecommuting from home—success depends on connecting the right people with the right information anywhere to a...
    A Proven Approach-Four Steps to Drive Organizational Video Adoption
    February 1, 2012
    Have your video implementation projects fallen short of your expectations in user satisfaction or utilization? Reaping the benefits depends on not only on selecting the technology, but on careful plan...
    Real-World Lessons for Your UC Migration
    January 18, 2012
    As your enterprise moves into its Unified Communications migration, you’ll need to meet short-, medium- and long-term goals that provide investment protection, return on investment, and real bus...
    More Webinars
    More Virtual Events