'Highly critical' flaw identified in Cisco SIP systems

Cisco has issued a range of security advisories giving details of 11 vulnerabilities in IOS, the operating system on which many of its products run.

One of the vulnerabilities, described as "highly critical", could lead to a hacker compromising the affected system or launching a denial-of-service attack against it. The advisories, issued on Wednesday, are part of Cisco's twice-yearly schedule of security updates for IOS.

The highly critical vulnerability affects IOS version 12 devices running SIP, a protocol used by many businesses to set up and tear down voice and video calls. IOS version 12 is widely deployed.

"Multiple vulnerabilities exist in the SIP implementation in Cisco IOS software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled," Cisco's advisory read. "Remote code execution may also be possible."

Cisco advised businesses to patch the vulnerability. However, the company said there are no workarounds for devices where SIP is required, and businesses should instead try to mitigate the risks by allowing only trusted devices to connect to the affected device.

It said the vulnerabilities are triggered when a device processes malformed SIP messages. A hacker could exploit the vulnerabilities to force the device to reload. Multiple reload attempts could result in a successful denial-of-service attack, Cisco said.

Vulnerability research company Secunia said businesses should install Cisco's patch as a matter of urgency. Secunia's chief security officer Thomas Kristensen told ZDNet UK on Friday that "customers running SIP on Cisco IOS 12 should pay special attention to SA390068 [Secunia's advisory] and install the update immediately".

SIP processing should be disabled if it is not required, Cisco said, though it added that it had not witnessed malicious exploitation of the vulnerability so far.

Cisco's remaining advisories detailed 10 other vulnerabilities in IOS, but these have been marked by Cisco as less critical. However, they could still be exploited for the purpose of remote code execution or denial-of-service attacks, Cisco said, and it has provided patches.

Secunia said Cisco's statements do not point to widescale security problems with IOS. "There is nothing in this batch that indicates that Cisco IOS should have particularly bad security," Kristensen said. "It is important to note that the vulnerabilities are spread across different functionality which is used for different purposes. Each will therefore only affect a subset of customers."