Cisco Patches IOS Flaw

Switching and routing firm Cisco Systems Inc. has issued a fix for a denial-of-service vulnerability affecting versions of its flagship IOS (Internetwork Operating System) software.

A security advisory from the San Jose, Calif.-based company said the flaw affects all Cisco devices that are configured for Cisco ITS (IOS Telephony Service), Cisco CME (CallManager Express) or SRST (Survivable Remote Site Telephony) services.

ITS, CME and SRST are features that allow a Cisco device running IOS to control IP phones using the Skinny Call Control Protocol. The company warned that a malicious hacker could send certain malformed packets to the SCCP port on an IOS device configured for ITS, CME or SRST, which may cause the target device to reload.

The attack scenario could be done repeatedly to create a denial-of-service attack against telephony devices, company officials said.

The vulnerability, which was detected and reported by researchers at SecureTest, exists because of an error within the processing of control protocol messages. It affects the 12.1YD, 12.2T, 12.3, and 12.3T release trains.

Dan Jackson, president and chief operating officer of DeepNines Technologies, said the Cisco flaw is further proof that routers could present a bigger target for malicious hackers.

“From a security standpoint, 2005 is the year that the router becomes the Achilles heel of the network,” Jackson said in a statement. “Where there’s smoke, there’s fire—meaning these won’t be the last router vulnerabilities we hear about this year.”

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.