Cisco warns of UCM flaws

Cisco has warned that several versions of its Unified Call Managers have security problems.

Cisco Systems issued an advisory on Wednesday warning customers about vulnerabilities in its Unified Communications Manager that could interrupt voice services and disclose information useful to an attacker.

Cisco released software updates to fix the flaws in CUCM, which is the call processing component of the Cisco IP Telephony system and was formerly called Cisco CallManager.

The Computer Telephony Integration (CTI) Manager service of CUCM versions 5.x and 6.x contains a flaw that could result in a DoS when handling malformed input, according to the Cisco advisory.

The other vulnerability affects the Real-Time Information Server (RIS) Data Collector service of CUCM versions 4.x, 5.x, and 6.x. The flaw, an authentication bypass vulnerability, could lead to unauthorized disclosure of CUCM cluster information including user names and configured IP phones, which an intruder could use to mount further attacks, Cisco said. No passwords can be obtained by exploiting the flaw.

Cisco said it was unaware of any malicious exploitation of the flaws.

Products affected by the vulnerabilities are: Cisco Unified CallManager 4.1; CUCM 4.2 versions prior to 4.2(3) SR4; 4.3 versions prior to 4.3(2)SR1; 5.x versions prior to 5.1(3c); and 6.x versions prior to 6.1(2).

Read more on Voice networking and VoIP