Testers have found a vulnerability in the Session Initiation Protocol (SIP), an emerging standard used for connections between devices in IP networks such as voice-over-IP phones.
The CERT Co-ordination Center reported the vulnerability last week, citing a discovery by the Oulu University Secure Programming Group (OUSPG) in Finland. The OUSPG found that when a certain SIP test is applied to SIP clients and proxy servers, it causes unexpected system behaviour or a denial of service.
Cisco Systems spokesman said that the company has not had any complaints from its customers, but had posted an advisory on 21 February saying the vulnerability affected two Cisco IP phones, the 7940 and 7960. Some recommendations call for work-arounds or patches, depending on the device affected.
CERT said Nortel Networks has worked on a software patch to address the vulnerability in its Succession Communications servers, which is due out by the end of the month.
Gartner said it was significant that the vulnerability did not affect two major instant messaging protocols from Microsoft and America Online and that it seems to apply mainly to telephone clients.
CERT has listed more than 80 suppliers that make SIP-dependent products along with whether those products are affected.
"SIP is a very young protocol, and the way to get it mature is to have this kind of rigorous testing to occur," Gartner said.
Gartner urged companies and other users to take the time to research whether their products are vulnerable and to apply the needed patches or work-arounds.