Cisco's Unified Communications Manager voice over IP software has two vulnerabilities that allow denial-of-service attacks, the company has said.

The software, formerly CallManager, is affected by two overflow conditions that could let a remote or unauthenticated user initiate a DOS or launch program. A workaround exists for one of the flaws, Cisco said in an advisory on its website.

The first overflow affects the product's Certificate Trust List (CTL) Provider service. CTL Provider listens on TCP Port 2444 by default, but the port is user configurable.

The second overflow condition affects UCM's Real-Time Information Server (RIS) Data Collector service. RIS Data Collector listens on TCP Port 2556 by default, but the port is user configurable.

The vulnerable products are: Unified CallManager 3.3 versions before 3.3(5)SR3, Unified CallManager 4.1 versions before 4.1(3)SR5, Unified CallManager 4.2 versions before 4.2(3)SR2, UCM 4.3 versions before 4.3(1)SR1, and Unified CallManager 5.0 and UCM 5.1 versions before 5.1(2).

Unified CallManager versions 4.2, 4.3, 5.1 and 6.0 have been renamed as UCM. UCM versions 3.3, 4.0, 4.1 and 5.0 retain the Unified CallManager name. The software has been subject to similar vulnerabilities in the past.

UCM Version 6.0 and CallManager Express are not affected by these vulnerabilities, Cisco said.

The company said it is not aware of any malicious use of the vulnerabilities. They were reported by the IBM Internet Security Systems X-Force team, the company said.

Users can work around the CTL Provider vulnerability by disabling it if it is not needed, Cisco says. Access to CTL Provider usually is required only during the initial configuration of UCM authentication and encryption features, the company said.

Filtering traffic to affected UCM systems on screening devices can also be used to mitigate both vulnerabilities, Cisco said. It also is possible to change the default ports of CTL Provider and RIS Data Collector, then employ filtering.

Infrastructure Access Control Lists can also serve as a workaround for this specific vulnerability, Cisco said.

The CTL Provider vulnerability is corrected in UCM versions 4.1(3)SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2). The RIS Data Collector vulnerability is corrected in UCM versions 3.3(5)SR2b, 4.1(3)SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2).

Cisco says it will make free software available to address the vulnerabilities for affected customers.