Internet Security Systems Discovers Critical Flaws in VoIP Infrastructure; Company Provides Protection for Customers Against VoIP Vulnerabilities
According to Gartner, by 2007, 97 percent of new phone systems installed in North America will be VoIP-based or hybrid. Despite the ease-of-use of VoIP, the technology behind it is a complex set of protocols, applications and appliances that require careful security attention. ISS warns that security concerns surrounding VoIP will continue to rise as the technology gains in popularity.
“Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers.”
"Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes," said Chris Rouland, chief technology officer at Internet Security Systems. "Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers."
The most recent VoIP security flaws discovered by ISS' X-Force(R) team lie in Cisco's Call Manager, an essential component to the functioning of any Cisco VoIP deployment, performing tasks such as call signalling and call routing. By exploiting these vulnerabilities, an attacker is able to trigger a heap overflow within a critical Call Manager process, causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server. This could allow the attacker to redirect calls or eavesdrop, as well as gain unauthorized access to networks and machines running Cisco VoIP products. Compromise of VoIP networks and machines may lead to exposure of confidential information, loss of productivity and further network compromise.
The full ISS X-Force advisory on these flaws can be found at: http://xforce.iss.net/xforce/alerts/id/200.
Available Protection:
ISS has provided customers with protection for these vulnerabilities. Other organizations should review the following bulletin from Cisco for details on protection: http://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml.
ISS has also recently published a report that offers insight into how VoIP security can be compromised and tips on how organizations can protect their VoIP installations. The full report can be found at: http://xforce.iss.net/xforce/threat_insight_quarterly/index.php.
For more information on Internet Security Systems(TM) preemptive protection offerings, please visit: http://www.iss.net/proof/preemptiveprotection/.
About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted expert to global enterprises and world governments, providing products and services that protect against Internet threats. An established world leader in security since 1994, ISS delivers proven cost efficiencies and reduces regulatory and business risk across the enterprise. ISS products and services are based on the proactive security intelligence conducted by ISS' X-Force(R) research and development team - the unequivocal world authority in vulnerability and threat research. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.
Internet Security Systems is a trademark and X-Force is a registered trademark of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and property of their respective owners.
Digg
Delicious
Newsvine
Reddit
Twitter
Google
LinkedIn
Yahoo
Facebook
MySpace
