Avaya, Cisco address VoIP vulnerabilities

Avaya and Cisco have addressed a report that their VoIP gear is vulnerable to a variety of attacks. VoIPshield Laboratories found the vulnerabilities, which also impact certain Nortel gear.

In its testing VoIPshield found that Avaya's Communication Manager 3.1x contained 29 separate vulnerabilities, that if exploited, could result in remote code-execution, unauthorized access, denial-of-service (DoS) and information harvesting. (Compare IP PBX products)

Cisco's Unified Communications Manager versions 5.x and 6.x, as well as Call Manager 4.x, were affected by a total of 12 vulnerabilities that could lead to unauthorized access and DoS attacks.

Nortel's Communications Server 1000 4.50.x, Multimedia Communications Server 5100 3.x, and SIP Multimedia PC client 4.x were cited for a total of four vulnerabilities that could lead to unauthorized access and DoS exploits.

Avaya says it knows about the problems and is issuing advisories to customers and providing service-pack updates that address some of them. "Ongoing updates and service packs addressing this will continue to be made accessible on our support site," an Avaya spokesman says.

Cisco is releasing software updates that address the vulnerabilities at no extra charge for customers with service contracts Nortel did not respond to questions about their response to the VoIPshield warnings.

Rick Dalmazzi, president and CEO of VoIPshield, says Avaya, Cisco and Nortel were chosen for vulnerability testing because they represent the bulk of IP PBX sales in North America. The company has included Microsoft in its next round of testing, the results of which will come out in about four months.

VoIPshield Systems makes VoIP vulnerability-testing software, as well as an intrusion-prevention system designed for VoIP.