Cisco Systems has patched a number of security vulnerabilities affecting its routers and Call Manager software, some of which could be used to launch a DOS (denial of service) attack against the products.
The router bug (http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml) affects all Cisco devices that use the company's IOS (Internetwork Operating System) software and that have enabled a little-known protocol called Stack Group Bidding Protocol (SGBP), which is used to help manage network access using Cisco devices.
This vulnerability probably does not affect a lot of Cisco users, because the SGBP is not widely used and devices that do not have the protocol enabled are not vulnerable, said Johannes Ullrich, chief research officer for the SANS Institute, a security training organization.
The other two bugs relate to Cisco's Call Manager software, which is used to manage VOIP (voice over Internet Protocol) calls. The bugs could be exploited by an attacker to either launch a DOS attack (http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmdos.shtml) against the Call Manager machine or to gain additional user privileges (http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml) on such a system.
Call Manager users should apply these patches, but they should do so with caution, Ullrich said. "You should apply them because there are a couple of serious vulnerabilities there. But don't rush them," he said. "If your Call Manager breaks and your company is without phone service for a couple of days, it's not good."