Guest

Cisco IOS Software Releases 12.3 Special and Early Deployments

Field Notice: Cisco CallManager Express Customers Using Basic Auto Call Distribution (B-ACD) Auto-attendant Functionality Allows Outside Callers to Dial Calls Though to the PSTN by Default


April 12, 2005


Products Affected

Product

Comments

Cisco Callmanager Express 3.2.1 (12.3(11)XL) - Cisco Callmanager Express

Cisco Callmanager Express 3.2.1 (12.3(11)XL) using Basic Auto Call Distribution script 2.0.0.0

Cisco Callmanager Express 3.2.2 (12.3(11)XL1) - Cisco Callmanager Express

Cisco Callmanager Express 3.2.2 (12.3(11)XL1) using Basic Auto Call Distribution script 2.0.0.0

Problem Description

Cisco CallManager Express (CCME) 3.2.1 offers a Basic Auto Call Distribution (B-ACD) Auto-attendant feature. The auto-attendant application allows outside callers to select a B-ACD call queue or dial by extension number. With the first release of B-ACD (script 2.0.0), when a caller selects Dial By Extension, callers are allowed to dial an extension or an outside call by default. Most customers will want to disable the dial through feature to prevent outside callers from dialing through the CME system. This problem only occurs when using the CCME B-ACD Auto-attendant with dial by extension feature.

Background

Cisco CallManager Express is an IOS based call control application for small offices or branch locations. With the release of CME 3.2.1, IOS 12.3(11)XL in Nov 2004, B-ACD was a new feature released. With the TCL based B-ACD application, a single level TCL auto-attendant application was also made available. This initial release B-ACD and AA TCL scripts are marked as version 2.0.0.0.

The B-ACD auto-attendant application allows an outside caller to hear a greeting and using one key dialing select a B-ACD queue or dial an extension number. By default the application greeting says:

 For Sales Press 1, For Support Press 2, To Dial an Extension Press 3. 

The Dial by Extension option will match any Ephone-DN or dial-peer configured in the system. This could be an extension on a phone, a analog device configured for H.323, a PSTN voice interface (analog or digital) or VOIP dial-peer to a WAN interface.

Problem Symptoms

Customers using CCME 3.2.1 with Basic Auto Call Distribution Auto Attendant with Dial by Extension by default allows callers to dial though the system. Customers should be aware of this default setting and can use one of the workarounds recommended below to prevent unauthorized calls.

Workaround/Solution

The following options can be used to prevent malicious calls though the B-ACD auto-attendant application:

Customers are encouraged to update the B-ACD TCL Scripts now posted on CCO.

  1. Update the B-ACD TCL scripts to version 2.0.1.0 The scripts are now posted on Cisco.com.

    The CME B-ACD scripts can be found at this location: http://www.cisco.com/cgi-bin/tablebuild.pl/ip-iostsp (CCO Login required). This new version includes a new TCL parameter and default not allowing calls over five digits when dialing by extension number. The IOS CLI TCL script option is: call application voice aa max-extension-length 5. This option declares the maximum length of the extension that the user can dial when dial-by-extension-option is chosen. The default value is 5. The value can be 0 with no restriction up to x digits.

  2. Disable the Dial by Extension by not using the following TCL Script option:

    call application voice aa dial-by-extension-option 3. This option will not allow outside callers to dial internal or external numbers though the B-ACD AA greeting.

  3. Configure Class of Restriction (COR) to block call transfers from B-ACD to PSTN numbers. The sample configuration below prevents the B-ACD from transferring calls out to local and long distance PSTN numbers. The B-ACD can still transfer calls to internal extensions.

Below is an example of such a configuration:

dial-peer cor custom 
name longdistance 
name local 
! 
! 
dial-peer cor list call-longdistance 
member longdistance 
! 
dial-peer cor list call-local 
member local 
! 
dial-peer cor list block-pstn 
! 
dial-peer voice 1 voip 
corlist incoming block-pstn 
application aa 
destination-pattern 1000 
session target ipv4:192.168.1.1 
incoming called-number 1000 
dtmf-relay h245-alphanumeric 
codec g711ulaw 
no vad 
! 
dial-peer voice 2 pots 
corlist outgoing call-longdistance 
destination-pattern 91.......... 
port 0/2/0 
! 
dial-peer voice 3 pots 
corlist outgoing call-local 
destination-pattern 9[2-9]...... 
port 0/2/0 


DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCeh53421

B-ACD allows transfer to any dial-peer on CME

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.