The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml
* All Cisco ACE-based SBC modules running software versions prior to 3.0(2) are affected
To determine the version of the Cisco SBC software running on a system, log in to the device and issue the show version command to display the system banner.
card_A/Admin# show version
system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin
Cisco SBC software version 3.0.1 is running in the device used in this example.
Products Confirmed Not Vulnerable:
* The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco ACE GSS (Global Site Selector) 4400 Series are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability.
The Session Border Controller (SBC) enables direct IP-to-IP interconnect between multiple administrative domains for session-based services providing protocol interworking, security, and admission control and management. The SBC is a multimedia device that sits on the border of a network and controls call admission to that network. A vulnerability exists in the Cisco SBC where an unauthenticated attacker may cause the Cisco SBC card to reload by sending crafted TCP packets over port 2000. Repeated exploitation could result in a sustained DoS condition.
Note: Only the Cisco SBC module reloads after successful exploitation. The Cisco 7600 series router does not reload and it is not affected by this vulnerability.
Note: TCP port 2000 is typically used by Skinny Call Control Protocol (SCCP) applications. However, the Cisco SBC module uses TCP port 2000 for high availability (redundancy) communication, but does not use the SCCP for this purpose.
This vulnerability is documented in Cisco Bug IDs CSCsq18958 ( registered customers only) ; and has been assigned the Common Vulnerability and Exposures (CVE) IDs CVE-2009-0619.
Successful exploitation of the vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition.
As a workaround, configure an access control list (ACL) in the signaling / media VLAN on the Route Processor (RP). The following examples show how VLAN 140 is configured as the signaling / media VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance (FT). An ACL is added to the signaling/media VLAN on the RP filtering all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
alias 10.140.1.100 255.255.255.0
peer ip address 10.140.1.8 255.255.255.0
ft interface vlan 77
ip address 192.168.1.1 255.255.255.0
peer ip address 192.168.1.8 255.255.255.0
!- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal network
access-list 100 deny tcp any host 10.140.1.100 eq 2000
access-list 100 permit ip any any
ip address 10.140.1.1 255.255.255.0
!- ACL is applied to the VLAN interface to egress traffic
ip access-group 100 out
The alias command under VLAN 140 is configured with an IP address that floats between active and standby modules when using high availability. Only TCP port 2000 traffic destined to this IP address may trigger this vulnerability. An access control list (ACL) is configured to deny TCP port 2000 destined to the alias IP address (10.140.1.100). The ACL is applied egress in the RP.
Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP) applications; however, in this case it is used by the SBC for internal communications. The previous ACL only blocks TCP port 2000 traffic to the alias IP address. TCP port 2000 is not used by the alias IP address. This ACL should not cause any collateral damage.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: