The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to authenticate properly using the computer telephony integration (CTI) component of CallManager, Cisco said. This flaw can cause the software to crash and could be used to initiate a DoS attack against the product.
Cisco added that the authentication failure problem is most common in systems that have been recently integrated with customer directories. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.
The misconfiguration could also affect other components of the CallManager software.
More information is available at www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml.
Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.