A software flaw in Cisco Voice over Internet Protocol phones could leave its customers vulnerable to a hack attack. The United Kingdom’s National Infrastructure Security Co-ordination Centre (NICC) reported the problem on Tuesday.
Cisco is issuing patches to fix the issue, which is caused by a Domain Name System (DNS) protocol vulnerability that affects the client software in the phones. The DNS protocol is an Internet service that translates domain names into IP addresses. If exploited, this vulnerability could allow a hacker to perpetrate a Denial-of-Service attack.
“The vulnerability concerns the recursion process used by some DNS implementations to decompress compressed DNS messages,” said the NISCC advisory. “Under certain circumstances, it is possible to cause the DNS server to terminate abnormally.
Examining the Problem
NISCC said because domain names are alphabetic, they’re easier to remember, however the Internet is really based on IP addresses; hence every time a domain name is requested, a DNS service must translate the name into the corresponding IP address.
Under certain circumstances, it is possible to cause both DNS servers and DNS clients to terminate abnormally by sending it malformed messages.
Cisco’s 7902/7905/7912 IP phones, the Cisco ATA (analog telephone adaptor) 186/188, and several Cisco Unity Express and Cisco ACNS (application andcontent networking system) devices are vulnerable.
VoIP critics have long pointed to potential security threats as a good reason why consumers should not adopt the technology. Now that VoIP is moving into the mainstream, will these types of vulnerabilities hinder the technology’s growth?
Rob Enderle, principal analyst at The Enderle Group, told TechNewsWorld that these types of vulnerabilities are just a fact of life with network attached technologies. “To a certain extent we are becoming somewhat resistant to the concern,” Enderle said. “The expectation, of course, is that the vendors will fix the vulnerability quickly.”
Analysts said there may be cause for concern if a company like Cisco tried to cover up the story. But Cisco is responding in a straightforward manner to the discovery.
“No Cisco products performing DNS server functions, or DNS packet inspection, are currently known to be affected by this vulnerability,” said the Cisco security notice. “Only the DNS clients listed in the Affected Products section are currently known to be affected. Cisco has made free software available to address this vulnerability.”
Enderle said Cisco has a reputation of doing quality work and doesn’t anticipate this incident causing the company any long-term problems. “Now if they start having a whole series of vulnerabilities then that’s a whole different story,” he said.