Cisco IOS Software Music on Hold Information Disclosure Vulnerability

Cisco IOS software contains a vulnerability that could allow an unauthenticated, remote attacker to access and disclose sensitive information.

The vulnerability is due to insecure handling of multicast network traffic. An unauthenticated, remote attacker could exploit the vulnerability by initiating a phone call to the affected system. The vulnerability could allow the attacker to monitor ongoing call information between peers when the call is placed on hold.

Cisco has confirmed the vulnerability and released updated software.

To successfully exploit the vulnerability, the attacker must join the voice call session. To achieve this objective, the attacker may require access to trusted, internal networks. This access limitation could limit the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.