Cisco has said its corporate VoIP and presence servers could be vulnerable to a remote attack and flooded with traffic. The company said that the Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) could be hit by specially crafted TCP, Internet Control Messaging Protocol (ICMP) or User Datagram Protocol (UDP) packets. Cisco has released software patches for these problems.
CallManager servers, which process VoIP calls on a network, can be crashed by sending attack traffic to TCP ports 2000 or 2443 to the server; these ports are used by Cisco's proprietary call control protocols - Skinny Call Control Protocol (SCCP, or "Skinny") and Secure SCCP. This vulnerability exists in CallManager versions 3.x, 4.x and 5.0 (CUCM 6.0, the latest version (announced this month), is not affected, nor is the Presence Server).
Cisco says CallManager and the Presence Server are affected by attacks involving floods of ICMP Echo Requests (pings), or specially crafted UDP packets. The ping-flood vulnerability, which affects only CallManager 5.0 and Presence Server 1.x, could be used to crash call-processing or presence services on the respective servers.
The UDP vulnerability affects the IPSec Manager Service on CallManager and Presence Server, which uses UDP Port 8500. With this less severe vulnerability, an attack could not stop calls from being placed or received on a Cisco VOIP network, but could cause the loss of some features, such as the ability to forward calls or deploy configuration changes to clusters of CallManager and Presence Servers.
Users of these products can download fixed software here .
In the meantime, Cisco says users can mitigate some of these vulnerabilities through a few filtering techniques:
- Permit TCP Port 2000 (SCCP) and TCP Port 2443 (Secure SCCP) to CallManager systems only from VOIP endpoints
- ICMP Echo Requests (Type 8) should be blocked for CallManager and Presence Server systems (although this could affect network management applications and troubleshooting.
- UDP Port 8500 for IPSec Manager should be permitted only between CallManager/Presence Server systems configured in a cluster deployment.