search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco IOS embedded call processing solutions contain unspecified DoS vulnerability

Vulnerability Note VU#613384

Original Release Date: 2005-01-21 | Last Revised: 2005-01-21

Overview

An unspecified error in Cisco Internetwork Operating System (IOS) could allow a remote attacker to cause a denial of service.

Description

Cisco IOS is a very widely deployed network operating system. IOS release trains 12.1YD, 12.2T, 12.3, and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME), or Survivable Site Telephony (SRST), may contain a vulnerability in the processing of certain control protocol messages. A specially crafted control protocol message could cause the device to reload.

Impact

By sending a specially crafted control protocol message to an affected device, a remote attacker could cause the device to reset. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition.

Solution

Apply a patch or upgrade

Please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory for more information on upgrading.


Workarounds

Cisco recommends a number of workarounds. For a complete list of workarounds, see the "Workarounds" section of the Cisco Security Advisory.

Vendor Information

613384
 

Cisco Systems Inc. Affected

Updated:  January 21, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by the Cisco Systems Product Security Incident Response Team.

This document was written by Will Dormann, based on the information provided in the Cisco Security Advisory.

Other Information

CVE IDs: None
Severity Metric: 9.45
Date Public: 2005-01-19
Date First Published: 2005-01-21
Date Last Updated: 2005-01-21 19:40 UTC
Document Revision: 7

Sponsored by CISA.