Avaya and Cisco have issued patches for their VoIP equipment after security researchers warned of vulnerabilities to a range of attacks.
In its testing VoIPshield found that Avaya's Communication Manager 3.1x contained 29 separate vulnerabilities, that if exploited, could result in remote code-execution, unauthorised access, denial-of-service (DoS) and information harvesting.
Cisco's Unified Communications Manager versions 5.x and 6.x, as well as Call Manager 4.x, were affected by a total of 12 vulnerabilities that could lead to unauthorised access and DoS attacks. Some Nortel equipment was also found to be vulnerable.
Nortel's Communications Server 1000 4.50.x, Multimedia Communications Server 5100 3.x, and SIP Multimedia PC client 4.x were cited for a total of four vulnerabilities that could lead to unauthorised access and DoS exploits.
Avaya said it knew of the problems and was issuing advisories to customers and providing service-pack updates that address some of them. "Ongoing updates and service packs addressing this will continue to be made accessible on our support site," an Avaya spokesman said.
Cisco is releasing software updates that address the vulnerabilities at no extra charge for customers with service contracts Nortel did not respond to questions about their response to the VoIPshield warnings.
Rick Dalmazzi, president and CEO of VoIPshield, says Avaya, Cisco and Nortel were chosen for vulnerability testing because they represented the bulk of IP PBX sales in North America. The company has included Microsoft in its next round of testing, the results of which will come out in about four months.
VoIPshield Systems makes VoIP vulnerability-testing software, as well as an intrusion-prevention system designed for VoIP.