The flaw was found in Cisco’s Call Manager product, the the centerpiece server software of Cisco’s enterprise IP-telephony offerings. Cisco leads this market with 42% market share in North America, according to researcher Gartner.
Call Manager handles key functions of any Cisco VoIP system and handles functions such as call signally and call routing.
An attacker could cause a denial of service condition and compromise the Call Manager server by exploiting the flaw. That includes redirecting calls, eavesdropping and accessing networks and machines that run Cisco’s VoIP products.
Once the hackers gain control of your Call Manager the game’s over basically, said Neel Mehta, team leader of the Xforce Research unit of Internet Security Systems Inc, which discovered the flaw. The only thing that’s on your side is the as far as we know hackers aren’t exploiting it right now.
Cisco spokesman John Noh said the company knew of no exploits as a result of the vulnerabilities. Customers have been contacted about the vulnerability, he said, and a software fix is available on Cisco’s web site.
However, enterprises without VoIP security software would potentially not be aware of a breach to their Cisco system, said ISS’ Mehta.
He also pointed out that a vendor patch makes it easier for hackers to identify a flaw by giving a known good state of the software to compare against a known bad state, so to speak.
And while no breaches have yet been reported, Mehta said exploits generally appear within weeks or months of a flaw discovery.
ISS has an interest in finding flaws in VoIP products from Cisco and others because it makes security software that protects VoIP-based systems, Mehta said.
The Atlanta-based company also competes with Cisco in IDS/IPS. (ISS’s BlackIce IDS/IPS suffered a Witty worm attack last year in March).
Given the wide deployment of Call Manager and the broad access the flaw would potentially give hackers, this is one of the most serious VoIP breaches in the US since ISS began tracking them about a year ago, Mehta said.
The crack in Cisco’s Call Manager may potentially sway an enterprises’ decision whether or not to buy a VoIP system from the company, said Megan Fernandez, Gartner senior analyst. But it would likely be just one among many factors in a potential customers’ evaluation, she said.
I still expect the majority of end users to keep considering Cisco in the mix, she said.
Moreover, the flaw opens the door for rivals to gloat over the seeming safety of their own systems.
I’m sure they’ll be jumping on that as far as promoting how secure their system are. This is a big marketing opportunities for these other competitors, Fernandez said.
However, ISS’ Mehta said vulnerabilities in VoIP systems are inherent in the industry standards SIP and H232.
Trailing Cisco in the pure IP-PBX market in North America is Avaya with 14%, 3Com with 11% and Nortel with a 9% market share, according to Gartner.
The researcher also has said that by 2007, 97% of new phone systems installed in North America would be VoIP-based or hybrid.
