|
|
|
|
| |
Credit:
The original article can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f32.shtml
|
| |
Vulnerable Systems:
* Cisco IOS Software with SIP voice services enabled
Immune Systems:
* TSIP Application Layer Gateway (ALG), used by the Cisco IOS NAT and firewall features of Cisco IOS Software
* Cisco IOS XE Software
* Cisco IOS XR Software
Three vulnerabilities exist in the SIP implementation in Cisco IOS Software that may allow a remote attacker to cause a device reload, or execute arbitrary code. These vulnerabilities are triggered when the device running Cisco IOS Software processes malformed SIP messages.
In cases where SIP is running over TCP transport, a TCP three-way handshake is necessary to exploit these vulnerabilities.
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition. There is a potential to execute arbitrary code. In the event of successful remote code execution, device integrity could be completely compromised.
Patch Availability:
Cisco has released free software updates that address this vulnerability.
Workaround:
If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager Express and Cisco IOS Software H.323 and Session Initiation Protocol Denial of Service Vulnerabilities", which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20100324-voice.shtml.
For devices that do not require SIP to be enabled, the simplest and most effective workaround is to disable SIP processing on the device. Some versions of Cisco IOS Software allow administrators to disable SIP with the following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning: When applying this workaround to devices that are processing Media Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP processing while active calls are being processed. Under these circumstances, this workaround should be implemented during a maintenance window when active calls can be briefly stopped.
The show udp connections, show tcp brief all, and show processes | include SIP commands can be used to confirm that the SIP UDP and TCP ports are closed after applying this workaround.
Depending on the Cisco IOS Software version in use, the output from the show ip sockets command may still show the SIP ports open, but sending traffic to them will cause the SIP process to emit the following message:
*Feb 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
For additional workarounds please refer to the original advisory.
CVE Information:
CVE-2010-0584
Disclosure Timeline:
24/03/2010 - Public disclosure.
|
|
|
|
|
