SHARE



ABOUT THE AUTHOR


Eric Krapf
Eric Krapf is General Manager and Program Co-Chair for Enterprise Connect, the leading conference/exhibition and online events brand in the...
Read Full Bio >>
SHARE



Eric Krapf | June 26, 2008 |

 
   

More Cisco, Avaya, Nortel Vulnerabilities Named

More Cisco, Avaya, Nortel Vulnerabilities Named VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.This week's announcement found a total of 45 vulnerabilities--29 with Avaya; 12 with Cisco and 4 with Nortel. VOIPShield gave its most severe rating, "Critical," to

  • An exploit that could expose system configuration information in Avaya's SIP Enablement Service. (VOIPShield reports that Avaya is "attempting to address the issue".)

  • A potential denial of service attack against Cisco's Unified Communications Manager 6.x and against UCM 5.x. (VOIPShield reports that Cisco has made a patch available).

  • A potential denial of service attack against Nortel's CS1000 4.50.x. (VOIPShield reports that Nortel is "attempting to address the issue," noting in its report, "Completely addressing the issue requires a patch from Nortel, which Nortel has indicated is being worked on, but the availability and timing of this patch have not yet been identified.") Nortel's Security Bulletin on the vulnerability states, "To our knowledge, this attack has not been launched against any of our customers."

  • A potential denial of service attack against the Wireless Client Manager (WiCM) SIP proxy in Nortel's MCS5100 3.x. (VOIPShield says Nortel has a "workaround proposed".) The Nortel Security Bulletin on this reported vulnerability states, "Recommended solution is to use a corporate NAT/FW in order to prevent such malicious actions from outside. WiCM is normally configured inside the corp network/firewall." On the other hand, VOIPShield contends that, "To completely address the issue requires a patch from Nortel. In the short term it is recommended that a VoIP-aware IPS [intrusion prevention system] product, such as [VOIPShield's] VoIPguard, with signatures to detect attempts to exploit this issue, be implemented to prevent it from being exploited. In addition, implementation of general best practice guidance such as controlling access to telephony networks via VLANs, access control lists, firewalls, network admission controls and/or other security devices will aid in limiting the exposure of this vulnerability."





  • COMMENTS



    April 19, 2017

    Now more than ever, enterprise contact centers have a unique opportunity to lead the way towards complete, digital transformation. Moving your contact center to the cloud is a starting point, quick

    April 5, 2017

    Its no secret that the cloud offers significant benefits to enterprises - including cost reduction, scalability, higher efficiency, and more flexibility. If your phone system and contact center are

    March 22, 2017

    As today's competitive business environments push workforces into overdrive, many enterprises are seeking ways of streamlining workflows while optimizing productivity, business agility, and speed.

    April 20, 2017
    Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
    March 23, 2017
    Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
    March 15, 2017
    Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
    March 9, 2017
    Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
    March 3, 2017
    From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
    February 24, 2017
    UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
    February 17, 2017
    From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
    February 7, 2017
    UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
    February 1, 2017
    Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
    January 26, 2017
    Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
    January 23, 2017
    Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.