Four vulnerabilities found in Cisco Unified Communications Manager

Cisco Security Advisory: On May 14 Cisco issued a security advisory for Cisco Unified Communications Manager (formerly Cisco CallManager). Patches are now available to fix four denial of service (DoS) vulnerabilities all of which were discovered internally by Cisco, the company says. The following Cisco Unified Communications Manager (CUCM) services are affected: Certificate Trust List (CTL) Provider, Certificate Authority Proxy Function (CAPF), Session Initiation Protocol (SIP), Simple Network Management Protocol (SNMP) Trap.

The CTL vulnerability affects CUCM version 5.x. It is a memory consumption hole that occurs when a series of malformed TCP packets are received by a vulnerable CUCM system and may result in a DoS condition. The CTL Provider service is enabled by default. The Certificate Authority Proxy Function (CAPF) vulnerability affects versions 4.1, 4.2 and 4.3. When handling malformed input, the hole may result in a DoS condition. The SIP vulnerabilities involve one that makes use of a hole in SIP JOIN and two that attack SIP INVITE. One of the holes for SIP INVITE does not have a workaround. The bug is fixed in the next service release, i.e. 4.1(3)SR7, 4.2(3)SR4, 4.3(2), 5.1(3) and 6.1(1).

More from Cisco Subnet:

FBI worried over counterfeit Cisco gear
Cisco meets Marc Andreessen's Ning social networking site
Ullal departure sign of Cisco transformation
New Cisco TelePresence unit gets personal
CCNP lab essentials
Jeff Doyle: Understanding MPLS

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

20 useful sites for Cisco networking professionals
This month's Cisco Subnet giveaways
Network World's IT Buyer's Guide: Cisco products
Subscribe to Network World's Cisco Alert, which includes a weekly digest of all Cisco Subnet items 

• Cisco
• Cisco security alert
• Cisco Unified Communications Manager
• DoS