Cisco Patches Spate of CCM Flaws

July 18, 2005 - Cisco Systems Inc. last week warned flaws in its Cisco C allManager (C CM) IP telephony software, if unreasonable exploitation by hackers, may cause in several different Denial of Service (DoS) attacks.

In the worst case, an attacker successfully exploited this loophole execution of arbitrary code can be compromised CCM system cubic PCT m is the Windows-based call-processing component of Ciscos IP telephony Stack. Cisco confirmed that version 3.3 cm3 4.0 and 4.1 and earlier vulnerable to DOS attacks, memory leaks, memory corruption.

Cisco warned several weaknesses, including: (i) resource leakage cc Real-time Information Server data collection (risdc) components may lead such services to constant (2) memory allocation vulnerability Cisco CallManager CTI (3) Another memory allocation vulnerability and the improper distribution of the CCM memory to the ccm.exe process (4) memory leak caused by the failure Sign When the multi-level management is to (5) and a potential memory allocation and buffer overflow loopholes cc aupair.exe service (known as Cisco Monitoring database layer in the Windows Task Monitor), may lead to DOS or arbitrary code execution.

Attacks, which can be exploited loopholes in the first four CCM stop response or (once resources are exhausted) reboot the system, in the most serious cases, the attacker can take advantage of this vulnerability implementation aupair.exe arbitrary code in the Windows cc host or access confidential information such as Cisco VoIP traffic.

Have workarounds, but Cisco no problem with the patch the vulnerability of are available here. -- Stephen swoyer