Cisco: Critical Advisory For CallManager and IOS Network Risks

Flaws in Cisco Systems software for routers and IP telephony could be a conduit for attacks on enterprise networks, the company has warned. On Wednesday, it released two security alerts along with fixes for Cisco CallManager, which runs Internet-based phone calling. Two flaws exist in the software: One could allow an attacker to paralyze a Cisco IP telephony installation, the other could allow someone with read-only access to the system to gain full privileges, according to the alerts.

Cisco also patched a vulnerability in its Internetwork Operating System, which runs the routers and switches that make up much of the plumbing of corporate networks and the Internet. A feature called the Stack Group Bidding Protocol in certain versions of IOS is vulnerable to a remotely-exploitable denial of service condition, according to a company advisory.

An attacker could exploit the security hole by crafting a special network packet and sending that to a vulnerable Cisco system.

"Sending such a packet to port 9900 of an affected device will cause it to freeze and stop responding to, or passing traffic," Cisco said. After a delay, the device will reset, the company said. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.