Cisco recommends removing SIP support unless needed. “If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol.”

The full advisory is reprinted below:

Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

* Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

Document ID: 111448

Advisory ID: cisco-sa-20100324-sip

http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml

Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)

Summary

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible.

Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.

Note: The March 24, 2010, Cisco IOS Software Security Advisory bundled publication includes seven Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on March 24, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100324-bundle.shtml

Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar10.html

Affected Products

These vulnerabilities only affect devices running Cisco IOS Software with SIP voice services enabled.

Impact

Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition. There is a potential to execute arbitrary code. In the event of successful remote code execution, device integrity could be completely compromised.

Related Links / Suggested Readings

• Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
• Vulnerability Scans and Assessments

Whether you’re a Cisco fan that finally realizes Asterisk can provide better PBX services (at a lower cost) or just someone who happens to have a bunch of Cisco Skinny VoIP telephones laying around, converting the firmware to SIP can make the Cisco phone compatible with many VoIP systems.

But, don’t take my word for it… go to the VoIP Insider and read Cory’s tech tip. Give it a shot and tell us what you think.

What you VoIPing 'bout Willis?

Yes, you guessed it correctly. In today’s article, Diff’rent Strokes will be used as a metaphor for VoIP. Why? The correct question is “Why Not?” And the answer… well that’s simple — Diff’rent Strokes is the perfect metaphor. Take for example these classic lines from the show’s theme song:

Now, the world don’t move to the beat of just one drum,
What might be right for you, may not be right for some.

Classic. Pausing for Trivia… do you know which 80’s sitcom star wrote these lyrics? If you said Growing Pains actor and Canadian sensation Alan Thicke, you’d be right… but, as usual, we digress.

Those working within VoIP, and contrary to many medical reports there are people still working in the industry, have many flavors and styles of VoIP products to choose from. Although opinions vary, there really is no “right” or “wrong” product line. Selecting your VoIP implementation is an individual choice that is determined simply by what works best for you.

Asterisk versus FreeSWITCH versus Closed Source

Asterisk, by Digium, provides full PBX (private branch exchange) functionality in a (reasonably) small footprint, software package. Created by Mark Spencer in 1999, Asterisk provides itself to the VoIP community free of charge through the GNU General Public License. Asterisk does not require “per seat” licensing fees, maintains a very active community of developers, and requires no additional hardware for a strict VoIP deployment (although grabbing a Digium hardware card to connect to the PSTN makes this software very versatile).

FreeSWITCH, also an open source telephony software program, was developed after Asterisk, by people actively engaged in the Asterisk community. Much like the Facts of Life spun off from Diff’rent Strokes, FreeSWITCH developers thought that new software would be better for telephony; based on their experiences working with Asterisk. They worked hard and created a system that more suited their needs — and like Digium, they have shared this software with the world. The FreeSWITCH site posts a well-written, detailed explanation of “How does FreeSWITCH compare to Asterisk?” on their website (and keeping with the Facts of Life theme… FreeSWITCH approached the software with a “you take the good, you take the bad” approach).

Closed source systems, such as Broadworks, Cisco Call Manager, and Nortel IP Telephony solutions also provide VoIP software and hardware. Closed source systems pride themselves on providing “carrier” class solutions with dedicated support personnel. They also offer licensing fees, fancy logos, and lots of printed documentation.

So which is the best choice? 

Remember: “The world don’t move to the beat of just one drum.”

Choosing a VoIP solution demands thought. Yes, Virginia, you truly have to warm up the water and boil the brain noodle for a while. Is Asterisk best suited for this deployment? Brian West would say that FreeSWITCH would be better in all situations. Others would say, “Hey, use Cisco in large deployments” (although Sam Houston State University might say otherwise).

There simply is no right or wrong answer. As long as you keep well informed of the products out there, the different tools available, and can approach your needs by selecting from your set of tools, you’ll be making the right choice. Fred uses Asterisk. Why? It works for him, and he’s comfortable with it, and he can deploy solutions quickly. Others use FreeSWITCH for the same reason. And who’s right? Simply put, everyone is.

This same discussion can be applied to coding within the VoIP platform of your choice. Recently, when we discussed using Asterisk, Cepstral, and Perl to Get Parking and Weather Updates, we received many, many comments from people with different approaches.

Dug Song commented how Twilio could be used in this situation while Jason Goeke demonstrated how Adhersion could also be used. Within the comments we can see that some coders like jumping into the programming interface (and staying there) whereas Fred likes the “get in, get out” approach and stay in the Asterisk dial plan as much as possible.

So, again, who is right?

We turn once more, to the wise Alan Thicke and Diff’rent Strokes:

Everybody’s got a special kind of story
Everybody finds a way to shine,
It don’t matter that you got not a lot 
So what,
They’ll have theirs, and you’ll have yours, and I’ll have mine.
And together we’ll be fine…
Because it takes, Diff’rent Strokes to move the world.
Yes it does.
It takes, Diff’rent Strokes to move the world.

roll credits