Cisco Unity Session Exhaustion Denial of Service
Session management on the Unity server appears to be restricted and this allows a malicious user to use up all available sessions denying access to a legitimate administrator. Restoring the ability for new sessions to be established requires a complete system reboot, since simply restarting the default website is insufficient.
Denial of Service
Cisco Unity 7.0
Cisco has acknowledged the issue and is issuing patches to correct it. More details could be found at http://www.cisco.com/warp/public/707/cisco-sr-20081008-unity.shtml.
In the short term it is recommended that a VoIP aware IPS product, such as VoIPguard, with signatures to detect attempts to exploit this issue, be implemented to prevent it from being exploited. Implementing best practices can limit the exposure of this issue. Cisco is recommending to use Unity integrated login feature.
Cisco customers with a valid support agreement may wish to speak with their support contact in order to obtain further vendor details.
Each line represents an individual vulnerability or group of vulnerabilities. For example, "UCM Multiple Hardcoded Passwords" is presented here in a single line but was reported to Nortel as sixteen (16) individual vulnerabilities.
Click on a level for description
Vendor Response LegendPatch available
Attempting to address the issue
No vendor response