Cisco Systems issued a warning on Wednesday that some of its IP phones could be compromised, allowing unauthorized individuals to bypass security restrictions.
In the warning, Cisco detailed flaws for two sets of products. One warning identified two versions of the Cisco Unified IP Conference Station, a speaker phone specially designed for conference rooms. The products are the 7935 version 3.2(15) and 7936 version 3.3(12).
Cisco said because of a design error in the HTTP interface, which allows the device to be managed remotely, an administrator’s credentials are saved or cached when the device is accessed remotely. So if an unauthorized person tried to access the device at a later time, it would permit access without further authentication.
If an administrator never accesses the device via the HTTP interface, the device is not vulnerable to the authentication bypass attack. Cisco said it’s possible to reset the device by powering it down and turning it back on again.
Cisco also identified flaws in several versions of its Unified IP phones, including the 7906G, 7911G, 7941G, 7961G, 7970G and 7971G. These IP phones contain a default user account and password that is used for debugging purposes. Cisco said that because of an implementation error, the default user account cannot be disabled, removed or have its password changed. This means that it’s possible for an unauthorized person to remotely access a vulnerable IP phone and take complete control of the device, causing it to become unstable and crash.
Cisco suggests on its Web site that network administrators apply access control lists on routers, switches and firewalls that filter traffic to vulnerable conference stations and IP phones so that traffic is only allowed from stations that need to remotely administer the devices. Cisco also said it will make free software available to address the flaws, but did not say when it would be available. Updates will be posted on its Web site.
While attacks on voice over Internet Protocol systems are rare, security flaws could become a growing concern for network administrators, especially as the number of companies using VoIP technology increases.
VoIP allows companies to use their data networks to carry voice traffic as well as company data, such as e-mail. Not only do companies save money by consolidating networks, but the IP network also allows for a slew of new features to be added to the company’s communications. Cisco’s IP telephony business has been growing strong over the past few years as more and more companies upgrade their telephone networks to IP.