Security flaw in Cisco CallManager could lead to DoS


Cisco Systems Inc. issued an advisory late last week saying that its CallManager call-processing application has a security flaw in it that could leave the product open to a denial of service (DoS) attack.

Cisco has released a patch for this vulnerability.

The bug, which affects CallManager versions 3.0 and 3.1, is the result of a memory leak that can be triggered when a user fails to properly authenticate using the Computer Telephony Integration (CTI) component of CallManager, Cisco said. The flaw can cause the software to crash and could be used to initiate a DoS attack against the product, the advisory said.

The authentication failure problem is most common in systems that have been recently integrated with customer directories, Cisco said. This scenario results from incorrectly configuring the WebAttendant portion of the program, leaving it without a valid password, Cisco said. Systems that do not use the WebAttendant will also be vulnerable, however, as the Telephony Call Dispatch service is enabled by default.

Other components of the CallManager software may also stop working properly due to the misconfiguration, Cisco said.

More information about the vulnerability is available in Cisco's advisory, posted online at

Customers should contact Cisco, their reseller or other normal channels to obtain a security fix for the vulnerability, Cisco said.

Now Read This IT Resume Makeover: Our top 11 tips
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies