April 02, 2002, 4:04 PM — Cisco Systems Inc. issued an advisory late last week saying that its CallManager call-processing application has a security flaw in it that could leave the product open to a denial of service (DoS) attack.
Cisco has released a patch for this vulnerability.
The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.
The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.
Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.
More information about the vulnerability is available in Cisco's advisory, posted online at http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml.
Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.