A trinity of Cisco product holes have been patched in the company's IP PBXs and routers.

One that affects Cisco CallManagers could leave servers open to denial-of-service attacks, potentially shutting down the phone service inside a company.

Cisco says the DoS vulnerability exists because CallManager servers do not time out TCP connections on certain ports fast enough. This could cause overuse of CPU and memory resources on the server and lead to a crash or reboot and IP phones not responding with dial tone, the company says. Affected versions are 3.2, 3.3, 4.0 and 4.1.

Since such an attack would require network access to CallManagers, which are typically deployed behind a firewall, an external DoS attack on the IP PBX is less likely.

Another hole involves the Multi Level Administrator service on CallManager servers. Admins without read-write administrator-level access to the CallManager could bump up their privileges by sending a "crafted URL" to the CallManager administrator Web page on the server. This vulnerability affects the same CallManager versions as the DoS issue, Cisco said.

Software fixes are available for both security holes.

The third bulletincovers a problem in Cisco's IOS router software that could result in a remotely executed DoS attack on Cisco gear.

The problem is with the Cisco IOS Stack Group Bidding Protocol (SGBP), which is used on routers that aggregate multiple Point-to-Point Protocol (PPP) connections. When aggregating multiple PPP links, known as Multilink PPP, the SGBP is used by devices connected via Multilink PPP to identify each other.

If a specially crafted UDP packet is sent to port 9900 on an affected router (i.e., a device running Multilink PPP and SGBP) the device could freeze. Cisco has issued a software fix.

Short of upgrading IOS software, users can also set up an access control list to block untrusted access to a router via SGBP.