Cisco Systems has warned that an IOS software glitch could leave VoIP-enabled routers vulnerable to attack.

The software flaw affects only Cisco routers running IOS Telephony Services, CallManager Express or Survivable Remote Site Telephony (SRST). These services use Cisco’s Skinny Call Control Protocol (SCCP, or Skinny), which controls signalling between Cisco IP telephones and CallManager call processors. The IOS bug could allow an attacker to send malformed packets to the Skinny port on a Cisco VoIP-enabled router.

“Successful exploitation of the vulnerability may result in a device reload,” according to an advisory on the Cisco website. “Repeated exploitation could result in a Denial of Service (DoS) attack.”

The routers running any of the three affected VoIP services must also be running IOS software release trains 12.1YD, 12.2T, 12.3 and 12.3T in order to be considered vulnerable.

SRST is usually deployed on Cisco routers in branch offices that connect IP phones in the branch to a centralized CallManager IP PBX. SRST allows phones to get local dial tone and some calling features in case the WAN link back to the IP PBX fails. IOS Telephony Services also performs this feature, but CallManager Express is a module for Cisco routers which adds additional call-processing and memory power for routers, allowing them to act as self-sufficient phone systems.

Cisco said that customers whose routers have the vulnerable IOS code can obtain fixed software through Cisco or through channel partners, or they can upgrade to a higher IOS code release.

Because IOS software upgrades would require routers to come offline during the upgrade, Cisco says users can employ some workarounds until fixed code is obtained and installed. Cisco says users can set the routers to restrict Skinny protocol traffic only to locally connect IP phones. (Cisco recommends this as common practice for CallManager users; this setting is not configured by default in CallManager Express “for ease of management,” according to Cisco’s support Web site.)

Cisco said users could also install access control lists to block WAN access to block port 2000, which would keep external Skinny-based traffic from accessing the device.