Security vulnerabilities in Cisco Call Manager software may provide hackers the opportunity to reconfigure VoIP settings and gain access to users’ personal account information.
This is the warning issued to users by experts from the solution provider FishNet Security in a report released on June 19.
Jake Reynolds, a senior security expert at FishNet, stated that the Call Manager software from version 3.1 and above is affected by these security flaws.
These vulnerabilities arise from the routing function and call signal transmission in Cisco’s VoIP systems.
Reynolds confirmed that due to the lack of input and output authentication controls programmed into the web management interface for Call Manager, hackers can exploit this to remotely execute cross-site scripting (XSS) attacks.
XSS attacks are commonly used to trick users with privileged access into clicking on a hyperlink contained within an email or a website.
In the case of Call Manager, hackers would send a request containing malicious JavaScript code to the Call Manager web administration interface. If the administrator is deceived and accepts this request, the malicious code could be executed in their web browser, allowing the attacker to delete or reconfigure system components or gain access to users’ confidential account information.
In a published statement, the Cisco Product Security Incident Response Team (PSRIT) advised users to verify the destination of links before clicking on them.
Cisco has addressed these security vulnerabilities and will integrate patches into Call Manager versions 4.3(1), 4.2(3), 4.1(3)SR4, and 3.3(5) SR3.
Hoàng Dũng
