Cisco patches 8 IOS security flaws
Cisco lately patched 8 vulnerabilities in its IOS operating system, as well as a stand alone vulnerability in the Cisco Unified Communications Manager (UCM).
“That flaw is a DoS bug in the SIP (session initiation protocol) implementation in UCM,” according to Dennis Fisher. “SIP is used in a variety of products to help set up voice and video calls on IP networks. ‘A vulnerability exists in the SIP implementation in Cisco Unified Communications Manager that could allow a remote attacker to cause a critical service to fail, which could interrupt voice services. This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message. Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector,’ Cisco said in its advisory.”
“According to the company, the Session Initiation Protocol (SIP) implementation in its IOS Software and its IOS XE Software has a bug that could enable a remote attacker to cause a device to reload, assuming that the devices are configured to process SIP messages and for pass-through of Session Description Protocol (SDP),” said Ken Presti from CRN. “‘This vulnerability is triggered when an affected device processes a crafted SIP message that contains a valid Session Description Protocol (SDP) message,’ the advisory reports. ‘Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. SDP pass-through must be enabled, either at the global level, or at the dial-peer level, for a device to be affected by this vulnerability.’”
“The release comes six months after the company’s last IOS update and is part of a regularly-scheduled twice yearly patch release for the platform,” wrote Shaun Nichols. ” Cisco’s patches came just a few days after Microsoft released out an out-of-band security update that users and administrators of Windows XP systems have been urged to install. The patch addresses a security vulnerability in Internet Explorer that has been targeted for use in drive-by malware attacks.”