[NEWS] SIP Packet Reloads IOS Devices Not Configured for SIP

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SIP Packet Reloads IOS Devices Not Configured for SIP
------------------------------------------------------------------------


SUMMARY

Cisco devices running IOS which support voice and are not configured for
Session Initiation Protocol (SIP) are affected by a vulnerability that may
lead to a reload of the device under yet to be determined conditions, but
isolated to traffic destined to Port 5060. At the present time, Cisco is
investigating the exact nature of the issue; further details will be
provided in an update to this Advisory at such time as we are able to
confirm the technical characteristics.

There are no known exploits for this issue although the Cisco PSIRT is
seeing randomly generated traffic which may be unintentionally causing
this issue to manifest.

Workarounds exist to mitigate the effects of this problem.

DETAILS

Affected Products:
IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1,
12.3(8)YG and all of 12.4 are affected. Please see the fixed software
table for a complete list of fixed and vulnerable trains.

To determine if your device has SIP enabled, enter the commands show ip
sockets and show tcp brief all. Below is an example of a router running
code without the fix, and without the workaround enabled. The router in
this example is vulnerable to this issue. The router in this example is
running the vulnerable release 7200-p-mz.124-3.bin:

Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 --any-- 5060 0 0 211 0
17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0
17 0.0.0.0 0 192.168.100.2 2517 0 0 11 0

The first line with UDP Port 5060 shows that UDP SIP is enabled.

Router#show tcp brief all
TCB Local Address Foreign Address (state)
2051E680 *.5060 *.* LISTEN
2051E680 *.5060 *.* LISTEN

The above lines with *.5060 show that TCP SIP is enabled.

Vulnerable Products:
The following is a list of products that support voice and could be
affected by this vulnerability.
* 815
* 871
* 876
* 877
* 878
* 1701
* 1711
* 1712
* 1721
* 1751
* 1751-V
* 1760
* 1801
* 1802
* 1803
* 1811
* 1812
* 1841
* 2610XM-2611XM
* 2620XM-2621XM
* 2650XM-2651XM
* 2691
* 2801
* 2811
* 2821
* 2851
* 3220
* 3250
* 3270
* 3725
* 3745
* 3825
* 3845
* 7200
* 7200-NPE-G2
* 7301

Products Confirmed Not Vulnerable:
Devices that do not support voice are not affected by this issue. Devices
which are properly configured for SIP processing are not affected by this
issue. We have no reports of this vunerability on devices that are
configured for SIP processing. We also have no reports of affected IOS-XR
devices, CatOS devices, or any device which does not run IOS, but can not
conclusively rule them out without further testing. This advisory will be
updated with more information as it becomes available. Below is an example
of a router not vulnerable to this issue. The router in this example is
running the fixed release c7200-js-mz.124-5b.bin.

Router#show tcp brief all

Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0

No lines with UDP Port 5060 are shown and UDP SIP is not enabled. In this
example, UDP port 67 is used by DHCP is not related to this vulnerability.

Details:
SIP is a protocol designed for use in IP voice networks and is widely used
for Voice over Internet Protocol (VoIP) communications worldwide.

Cisco devices running certain versions of IOS with support for voice
services may be affected by a vulnerability that may lead to a reload of
the device under yet to be determined conditions, but isolated to traffic
destined to port 5060. The root cause of this reload is currently under
investigation. This issue is being tracked in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh58082>
CSCsh58082.

In addition, certain versions of IOS with support for voice services may
process SIP messages even if they are not fully configured for SIP
operation. To process SIP messages IOS will open UDP port 5060 and TCP
port 5060 for listening. The Cisco Bug ID that documents the issue of IOS
processing SIP messages without being fully configured for SIP operation
is
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb25337>
CSCsb25337. The fix for this bug turns off the listening ports TCP and UDP
5060.

There have been no reports of
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh58082>
CSCsh58082 causing reloads in any images with
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb25337>
CSCsb25337 integrated.

Impact:
Successful exploitation of the vulnerability may result in a reload of the
device. The issue may be repeatedly exploited, leading to an extended
Denial Of Service (DoS) condition.

Workarounds:
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion document
for this advisory:
<http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml>
http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml.

Turn Off SIP Processing

Since this vulnerability is reported only in routers not configured for
SIP, the simplest and most effective workaround is to turn SIP processing
off.

Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
Router(config-sip-ua)#end

After applying this workaround the commands show ip sockets and show tcp
brief all will not show the device listening on UDP and TCP port 5060:

Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY
17 --listen-- 9.13.32.18 2887 0 0 11 0

Router#show tcp brief all
TCB Local Address Foreign Address (state)
6649A5A4 *.1720 *.* LISTEN
66CDC764 *.1723 *.* LISTEN

Control Plane Policing
Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T
support the Control Plane Policing (CoPP) feature. CoPP may be configured
on a device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure device in
accordance with existing security policies and configurations. The
following example can be adapted to your network.


!-- Permit all TCP and UDP SIP traffic sent to all IP addresses
!-- configured on all interfaces of the affected device so that it
!-- will be policed and dropped by the CoPP feature


access-list 100 permit tcp any any eq 5060
access-list 100 permit udp any any eq 5060


!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices

!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature


class-map match-all drop-sip-class
match access-group 100


!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device


policy-map drop-sip-traffic
class drop-sip-class
drop


!-- Apply the Policy-Map to the Control-Plane of the
!-- device


control-plane
service-policy input drop-sip-traffic

Note: In the above CoPP example, the access control list entries (ACEs)
which match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function, while
packets that match the "deny" action (not shown) are not affected by the
policy-map drop function. Additional information on the configuration and
use of the CoPP feature can be found at
<http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml> http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and <http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html> http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html.


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages