There's trouble with the Disaster Recovery Framework (DRF) Master component in a number of unified communications products from Cisco.

The flaw, which the networking giant patched late last week, enables hackers to compromise vulnerable systems. Cisco Emergency Responder, Cisco Unified Communications Manager versions 5 and 6, and Cisco Unified Presence 6.x are affected.

Failure to properly authentic requests by the DRF component means miscreants might be able to execute arbitrary commands on affected systems. Denial of service attacks are also a possibility.

Cisco's advisory can be found here.

The network giant credits VoIPshield Systems with discovering the vulnerability. VoIPshield, which markets VoIP security application products, created a splash last week with claims that it had unearthed previously-undiscovered vulnerabilities and exploits associated with products from Cisco, Nortel, Avaya, and other leading vendors in the area.

It claims its knowledge of these bugs gives it the edge in protecting its clients' IP telephony systems from hacking attacks using a product called VoIPguard, which it describes as an intrusion prevention system for IP telephony systems. ®

Related stories

Cisco hits lowered targets (7 May 2008)
Cisco hops onto patching treadmill (6 March 2008)
Cisco plugs VoIP malware loophole (15 February 2008)
VOIP and the web baffle Brit spook wiretappers (30 January 2008)
2008 - the year VoIP gets hacked? (17 January 2008)
Skype update plugs critical bug (10 December 2007)
Cisco VoIP bug poses eavesdropping risk (29 November 2007)