Organisations using Avaya, Cisco and Nortel VoIP systems have been warned about vulnerabilities that could result in remote code execution; unauthorised access; denial of service; and information harvesting.
The vulnerabilities were found by VoIPshield Laboratories and reported earlier to the three vendors in order to give them time to develop patches for the flaws, says Rick Dalmazzi, president and CEO of VoIPshield. Dalmazzi would not reveal more details because his company and the affected VoIP vendors agreed to a simultaneous announcement.
He said that two of the three vendors should have patches available today and the third will issue an advisory.
The vulnerabilities found affect voice servers - VoIP PBXes - and softphone software that runs on laptops and desktops, Dalmazzi said.
VoIPshield ranks most of the vulnerabilities found as either critical or high, the two most severe rankings on its four-step scale.
Avaya, Cisco and Nortel were chosen for vulnerability testing because they represent the bulk of IP PBX sales in North America, Dalmazzi says. The company has included Microsoft in its next round of testing, the results of which will come out in about four months.
VoIPshield Systems makes VoIP vulnerability testing software as well as an intrusion-prevention system designed for VoIP.