Cisco Call Manager opens to welcome hackers

Security vulnerabilities in Cisco Call Manager software can give hackers a chance to reconfigure VoIP settings and gain access to individual user account information.

This is what the experts of the FishNet Security solution provider warned users in a report released on June 19.

Jake Reynolds - FishNet's senior security expert - said Call Manager software from version 3.1 and above has these security flaws.

This security error is pretty good in routing and broadcasting call signals in Cisco VoIP systems.

Reynolds claims that due to the lack of control of input and output authentication programmed into the Web Manager management interface for Call Manager, hackers can take advantage to remotely implement cross-site scripting attacks .

Cross-site scripting attacks are often used to trick users into prioritizing access to click on a URL hyperlink contained in an email or a web page.

In the case of Call Manger, the hacker sends a request containing malicious JavaScript code to the Call Manager web administration interface. If an administrator is deceived and accepted this request, malicious code may be executed on their web browser and allow an attacker to have the right to delete or re-reconfigure system components or retrieve Access to the user's secret account information.

In a broadcast, Cisco Product Security Incident Response Team (PSRIT) recommends that users confirm their destinations before clicking on them.

Cisco has fixed these security bugs and will integrate the patches into Call Manager versions 4.3 (1), 4.2 (3), 4.1 (3) SR4 and 3.3 (5) SR3.

Hoang Dung