SHARE



ABOUT THE AUTHOR


Eric Krapf
Eric Krapf is General Manager and Program Co-Chair for Enterprise Connect, the leading conference/exhibition and online events brand in the...
Read Full Bio >>
SHARE



Eric Krapf | June 26, 2008 |

 
   

More Cisco, Avaya, Nortel Vulnerabilities Named

More Cisco, Avaya, Nortel Vulnerabilities Named VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.This week's announcement found a total of 45 vulnerabilities--29 with Avaya; 12 with Cisco and 4 with Nortel. VOIPShield gave its most severe rating, "Critical," to

  • An exploit that could expose system configuration information in Avaya's SIP Enablement Service. (VOIPShield reports that Avaya is "attempting to address the issue".)

  • A potential denial of service attack against Cisco's Unified Communications Manager 6.x and against UCM 5.x. (VOIPShield reports that Cisco has made a patch available).

  • A potential denial of service attack against Nortel's CS1000 4.50.x. (VOIPShield reports that Nortel is "attempting to address the issue," noting in its report, "Completely addressing the issue requires a patch from Nortel, which Nortel has indicated is being worked on, but the availability and timing of this patch have not yet been identified.") Nortel's Security Bulletin on the vulnerability states, "To our knowledge, this attack has not been launched against any of our customers."

  • A potential denial of service attack against the Wireless Client Manager (WiCM) SIP proxy in Nortel's MCS5100 3.x. (VOIPShield says Nortel has a "workaround proposed".) The Nortel Security Bulletin on this reported vulnerability states, "Recommended solution is to use a corporate NAT/FW in order to prevent such malicious actions from outside. WiCM is normally configured inside the corp network/firewall." On the other hand, VOIPShield contends that, "To completely address the issue requires a patch from Nortel. In the short term it is recommended that a VoIP-aware IPS [intrusion prevention system] product, such as [VOIPShield's] VoIPguard, with signatures to detect attempts to exploit this issue, be implemented to prevent it from being exploited. In addition, implementation of general best practice guidance such as controlling access to telephony networks via VLANs, access control lists, firewalls, network admission controls and/or other security devices will aid in limiting the exposure of this vulnerability."





  • COMMENTS



    Enterprise Connect Orlando 2017
    March 27-30 | Orlando, FL
    Connect with the Entire Enterprise Communications & Collaboration Ecosystem


    Stay Up-to-Date: Hear industry visionaries in Keynotes and General Sessions delivering the latest insight on UC, mobility, collaboration and cloud

    Grow Your Network: Connect with the largest gathering of enterprise IT and business leaders and influencers

    Learn From Industry Leaders: Attend a full range of Conference Sessions, Free Programs and Special Events

    Evaluate All Your Options: Engage with 190+ of the leading equipment, software and service providers

    Have Fun! Mingle with sponsors, exhibitors, attendees, guest speakers and industry players during evening receptions

    Special Offer - Save $200 Off Advance Rates

    Register now with code NOJITTEREB to save $200 Off Advance Rates or get a FREE Expo Pass!

    January 11, 2017
    As cloud communications continues to grow and mature, many enterprises are looking to build a hybrid CPE-cloud strategy. Looking out over the next three years, how should enterprises expect the cloud...
    December 14, 2016
    Cloud UC is being rapidly adopted in the enterprise, but recent research has shown many organizations continue to be challenged with how to effectively integrate cloud in their existing UC ecosystem. ...
    November 30, 2016
    With cloud communications platforms and SIP/SIP trunking APIs, enterprises have the opportunity to embed real-time voice and video calling within business applications and processes while leveraging e...