Cisco Systems disclosed that there were some VoIP related vulnerabilities in its Internet Operating Systems (IOS) and it is working on fixing the issue, according to Light Reading. The issue involves a denial of service attack, where malformed packets can create havoc.
The flaw makes it possible, under certain versions of IOS, to send such packets from a Cisco IP phone to a router port running Cisco’s Skinny Call Control Protocol (SCCP). This causes a reset on the router port. By repeating the process frequently enough, an intruder could keep the router in a perpetual reload state, creating a kind of DOS attack. The DOS problem gets magnified when VOIP enters the picture, because incoming calls will have to be examined to screen out DOS attempts. This is more involved than the transport-level security used to prevent normal DOS attacks.
One thought on “Cisco’s IOS has a VoIP Hole”
Internetwork Operating System (IOS®), not Internet Operating Systems (IOS) as posted above.