Cisco patches Call Manager VoIP flaws

Cisco has alerted users to problems with its Call Manager software

Cisco Systems has issued two patches for problems with its Call Manager VoIP software.

The first flaw was picked up by a customer and could have allowed hackers to launch a denial of service attack against the user's systems. All versions of Call Manager are vulnerable to the attack.

"Vulnerable versions of Call Manager do not manage TCP connections and Windows messages aggressively, leaving some well-known, published ports vulnerable to DoS attacks," stated the Cisco advisory. 

"Call Manager does not time-out TCP connections to port 2000 aggressively enough, leading to a scenario where memory and CPU resources are consumed with enough open connections.

"In specific scenarios, Call Manager will leave the TCP connection open indefinitely until either the Call Manager service is restarted or the server is rebooted."

The second advisory covers a flaw that could allow a user with read-only access to gain full administrator privileges. This could be particularly serious if a hacker gained control of a computer and then used the flaw to obtain total access. 

Cisco has made patches available on its website and is urging users to fix the flaws as soon as possible.