Cisco recently announced a Denial of Service vulnerability within the SIP implementation of the Cisco IOS Software. Cisco devices running affected Cisco IOS Software versions that are configured to process SIP messages are affected. The vulnerability allows a remote attacker to reload a device and/or execute remote code.
Cisco recommends removing SIP support unless needed. “If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol.”
The full advisory is reprinted below:
Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
* Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Document ID: 111448
Advisory ID: cisco-sa-20100324-sip
http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml
Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)Summary
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible.
Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.
Note: The March 24, 2010, Cisco IOS Software Security Advisory bundled publication includes seven Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on March 24, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100324-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar10.html
Affected Products
These vulnerabilities only affect devices running Cisco IOS Software with SIP voice services enabled.
Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition. There is a potential to execute arbitrary code. In the event of successful remote code execution, device integrity could be completely compromised.
blogged on VoIP Tech Chat: Cisco SIP Denial of Service Vulnerabilities http://bit.ly/9ycYvx
Fred Posner
25 Mar 10 at 1:09 pm
[...] This post was mentioned on Twitter by Fred Posner, Team Forrest. Team Forrest said: RT @fredposner blogged on VoIP Tech Chat: Cisco SIP Denial of Service Vulnerabilities http://bit.ly/9ycYvx [...]
Tweets that mention Cisco SIP Denial of Service Vulnerabilities | VoIP Tech Chat -- Topsy.com
25 Mar 10 at 5:13 pm