[apops] Cisco Security Advisory: SIP Packet Reloads IOS Devices Not Conf

  • To: apops at apops dot net
  • Subject: [apops] Cisco Security Advisory: SIP Packet Reloads IOS Devices Not Configured for SIP
  • From: Cisco Systems Product Security Incident Response Team <psirt at cisco dot com>
  • Date: Wed, 31 Jan 2007 09:25:00 -0000
  • Cc: psirt at cisco dot com
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • Prevent-nondelivery-report:
  • Reply-to: psirt@cisco.com
  • Sender: nobody@cisco.com
    • Hash: SHA1
      
      Cisco Security Advisory: SIP Packet Reloads IOS Devices Not
      Configured for SIP
      
      Advisory ID: cisco-sa-20070131-sip
      
      http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
      
      Revision 1.0
      
      For Public Release 2007 Jan 31 0900 UTC (GMT)
      
      - ---------------------------------------------------------------------
      
      Summary
      =======
      
      Cisco devices running IOS which support voice and are not configured
      for Session Initiated Protocol (SIP) are vulnerable to a crash under
      yet to be determined conditions, but isolated to traffic destined to
      Port 5060. SIP is enabled by default on all Advanced images which
      support voice and do not contain the fix for CSCsb25337. There are no
      reports of this vulnerability on the devices which are properly
      configured for SIP processing. Workarounds exist to mitigate the
      effects of this problem.
      
      This advisory is posted at
      http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
      
      Affected Products
      =================
      
      IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1,
      12.3(8)YG and all of 12.4 are affected. Please see the fixed software
      table for a complete list of fixed and vulnerable trains.
      
      To determine if your device has SIP enabled, enter the commands 'show
      ip sockets' and 'show tcp brief all'. Below is an example of a router
      running code without the fix, and without the workaround enabled. The
      router in this example is vulnerable to this issue. IOS image in
      example: 7200-p-mz.124-3.bin
      
          Router#show ip sockets
          Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
          17 0.0.0.0             0  --any--          5060   0   0  211   0
          17 0.0.0.0             0 192.168.100.2       67   0   0 2211   0
          17 0.0.0.0             0 192.168.100.2     2517   0   0   11   0               
          
      
      The first line with UDP Port 5060 shows that UDP SIP is enabled.
      
          Router#show tcp brief all
          TCB       Local Address           Foreign Address        (state)
          2051E680  *.5060                  *.*                    LISTEN
          2051E680  *.5060                  *.*                    LISTEN
          
      
      The above lines with *.5060 show that TCP SIP is enabled.
      
      Vulnerable Products
      +------------------
      
      The following is a list of products that support voice and could be
      affected by this vulnerability.
      
        * 815
        * 871
        * 876
        * 877
        * 878
        * 1701
        * 1711
        * 1712
        * 1721
        * 1751
        * 1751-V
        * 1760
        * 1801
        * 1802
        * 1803
        * 1811
        * 1812
        * 1841
        * 2610XM-2611XM
        * 2620XM-2621XM
        * 2650XM-2651XM
        * 2691
        * 2801
        * 2811
        * 2821
        * 2851
        * 3220
        * 3250
        * 3270
        * 3725
        * 3745
        * 3825
        * 3845
        * 7200
        * 7200-NPE-G2
        * 7301
      
      Products Confirmed Not Vulnerable
      +--------------------------------
      
      Devices which do not support voice are not affected by this issue.
      Devices which are properly configured for SIP processing are not
      affected by this issue. We have no reports of this vunerability on
      devices that are configured for SIP processing. We also have no
      reports of affected IOS-XR devices, CatOS devices, or any device
      which does not run IOS, but can not conclusively rule them out
      without further testing. This advisory will be updated with more
      information as it becomes available. Below is an example of a router 
      not vulnerable to this issue. The router in this example is running
      the fixed release c7200-js-mz.124-5b.bin.
      
          Router#show tcp brief all
          
          Router#show ip sockets
          Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
          17 0.0.0.0             0 192.168.100.2      67   0   0 2211   0
          
      
      No lines with UDP Port 5060 are shown and UDP SIP is not enabled. In
      this example UDP port 67 is used by DHCP is not related to this
      vulnerability.
      
      Details
      =======
      
      SIP is a protocol designed for use in IP phone networks, and is
      widely used for Voice over Internet Protocol (VOIP) communications
      worldwide. Cisco devices running an affected image which supports
      voice services automatically enable SIP, which opens a listening port
      on UDP port 5060. TCP port 5060 is also opened, but does not appear
      to be related to the IOS crash detailed in this advisory.
      
      CSCsb25337 turns off the listening ports TCP and UDP 5060, and there
      have been no reports of this vulnerability in any images with this
      fix integrated.
      
      Impact
      ======
      
      Successful exploitation of the vulnerability may result in a reload
      of the device. The issue may be repeatedly exploited, leading to an
      extended Denial Of Service (DOS) condition.
      
      Software Version and Fixes
      ==========================
      
      When considering software upgrades, also consult
      http://www.cisco.com/go/psirt and any subsequent advisories to
      determine exposure and a complete upgrade solution.
      
      In all cases, customers should exercise caution to be certain the
      devices to be upgraded contain sufficient memory and that current
      hardware and software configurations will continue to be supported
      properly by the new release. If the information is not clear, contact
      the Cisco Technical Assistance Center ("TAC") or your contracted
      maintenance provider for assistance.
      
      Each row of the Cisco IOS software table (below) describes a release
      train and the platforms or products for which it is intended. If a
      given release train is vulnerable, then the earliest possible
      releases that contain the fix (the "First Fixed Release") and the
      anticipated date of availability for each are listed in the "Rebuild"
      and "Maintenance" columns. A device running a release in the given
      train that is earlier than the release in a specific column (less
      than the First Fixed Release) is known to be vulnerable. The release
      should be upgraded at least to the indicated release or a later
      version (greater than or equal to the First Fixed Release label.
      
      For more information on the terms "Rebuild" and "Maintenance," consult
      the following URL: http://www.cisco.com/warp/public/620/1.html
      
      +---------------------------------------+
      |   Major    | Availability of Repaired |
      |  Release   |         Releases         |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.0-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.0       | All 12.0 releases are    |
      |            | not vulnerable           |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.1-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.1       | All 12.1 releases are    |
      |            | not vulnerable           |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.2-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.2       | All 12.2 releases are    |
      |            | not vulnerable           |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.3-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.3       | Not vulnerable           |
      |------------+--------------------------|
      | 12.3B      | Not vulnerable           |
      |------------+--------------------------|
      | 12.3BC     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3BW     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3JA     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3JEA    | Not vulnerable           |
      |------------+--------------------------|
      | 12.3JEB    | Not vulnerable           |
      |------------+--------------------------|
      | 12.3JK     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3JX     | Not vulnerable           |
      |------------+--------------------------|
      |            | Only 12.3(14)T releases  |
      |            | are vulnerable; migrate  |
      | 12.3T      | to 12.4(8) or later. All |
      |            | other 12.3T releases are |
      |            | not vulnerable.          |
      |------------+--------------------------|
      | 12.3TPC    | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XA     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XB     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XC     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XD     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XE     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XF     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XG     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XH     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XI     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XJ     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XK     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XQ     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XR     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XS     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XU     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XW     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XX     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3XY     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YA     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YD     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YF     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YG     | 12.3(8)YG5 |             |
      |------------+--------------------------|
      | 12.3YH     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YI     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YJ     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YK     | Vulnerable; migrate to   |
      |            | 12.4(4)T3 or later       |
      |------------+--------------------------|
      | 12.3YM     | 12.3(14)   |             |
      |            | YM8        |             |
      |------------+--------------------------|
      | 12.3YQ     | Vulnerable; migrate to   |
      |            | 12.4(6)T1 or later       |
      |------------+--------------------------|
      | 12.3YS     | Not vulnerable           |
      |------------+--------------------------|
      | 12.3YT     | Vulnerable; migrate to   |
      |            | 12.4(4)T3 or later       |
      |------------+--------------------------|
      | 12.3YU     | Vulnerable; migrate to   |
      |            | 12.4(2)XB2 or later      |
      |------------+--------------------------|
      | 12.3YX     | 12.3(14)   |             |
      |            | YX2        |             |
      |------------+--------------------------|
      | 12.3YZ     | Not vulnerable           |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.4-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+------------+-------------|
      |            | 12.4(3d)   |             |
      |            |------------+-------------|
      | 12.4       | 12.4(5b)   |             |
      |            |------------+-------------|
      |            | 12.4(7a)   | 12.4(8)     |
      |------------+------------+-------------|
      | 12.4MR     |            | 12.4(6)MR   |
      |------------+--------------------------|
      | 12.4SW     | All 12.4SW releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      |            | 12.4(2)T5  |             |
      |            |------------+-------------|
      | 12.4T      | 12.4(4)T3  |             |
      |            |------------+-------------|
      |            | 12.4(6)T1  | 12.4(9)T    |
      |------------+--------------------------|
      | 12.4XA     | Vulnerable; migrate to   |
      |            | 12.4(6)T1 or later       |
      |------------+--------------------------|
      | 12.4XB     | 12.4(4)XB2 |             |
      |------------+--------------------------|
      | 12.4XC     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.4XD     | 12.4(4)XD2 |             |
      |------------+--------------------------|
      | 12.4XE     | All 12.4XE releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.4XG     | All 12.4XG releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.4XJ     | All 12.4XJ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.4XP     | All 12.4XP releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.4XT     | All 12.4XT releases are  |
      |            | fixed                    |
      +---------------------------------------+
      
      Workarounds
      ===========
      
      Additional mitigations that can be deployed on Cisco devices within
      the network are available in the Cisco Applied Intelligence companion
      document for this advisory:
      http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml
      
      Turn off SIP processing
      +-----------------------
      
      Since this vulnerability is reported only in routers not configured
      for SIP, the simplest and most effective workaround is to turn SIP
      processing off.
      
          Enter configuration commands, one per line.  End with CNTL/Z.
          Router(config)#sip-ua
          Router(config-sip-ua)#no transport udp
          Router(config-sip-ua)#no transport tcp
          Router(config-sip-ua)#end
          
      
      Control Plane Policing
      +---------------------
      
      Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and
      12.4T support the Control Plane Policing (CoPP) feature. CoPP may be
      configured on a device to protect the management and control planes
      to minimize the risk and effectiveness of direct infrastructure
      attacks by explicitly permitting only authorized traffic sent to
      infrastructure device in accordance with existing security policies
      and configurations. The following example can be adapted to your
      network.
      
              !-- Permit all TCP and UDP SIP traffic sent to all IP addresses
              !-- configured on all interfaces of the affected device so that it
              !-- will be policed and dropped by the CoPP feature
          
              access-list 100 permit tcp any any eq 5060
              access-list 100 permit udp any any eq 5060
          
              !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
              !-- traffic in accordance with existing security policies and
              !-- configurations for traffic that is authorized to be sent
              !-- to infrastructure devices
              !
              !-- Create a Class-Map for traffic to be policed by
              !-- the CoPP feature
          
              class-map match-all drop-sip-class
                match access-group 100
          
              !-- Create a Policy-Map that will be applied to the
              !-- Control-Plane of the device
          
              policy-map drop-sip-traffic
                class drop-sip-class
                  drop
          
              !-- Apply the Policy-Map to the Control-Plane of the
              !-- device
          
              control-plane
                service-policy input drop-sip-traffic
          
      
      Note: In the above CoPP example, the access control list entries
      (ACEs) which match the potential exploit packets with the "permit"
      action result in these packets being discarded by the policy-map
      "drop" function, while packets that match the "deny" action (not
      shown) are not affected by the policy-map drop function. Additional
      information on the configuration and use of the CoPP feature can be
      found at
      
      http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
      
      and
      
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html.
      
      Obtaining Fixed Software
      ========================
      
      Cisco will make free software available to address this vulnerability
      for affected customers. This advisory will be updated as fixed
      software becomes available. Prior to deploying software, customers
      should consult their maintenance provider or check the software for
      feature set compatibility and known issues specific to their
      environment.
      
      Customers may only install and expect support for the feature sets
      they have purchased. By installing, downloading, accessing or
      otherwise using such software upgrades, customers agree to be bound by
      the terms of Cisco's software license terms found at
      http://www.cisco.com/public/sw-license-agreement.html or as
      otherwise set forth at Cisco.com Downloads at
      http://www.cisco.com/public/sw-center/sw-usingswc.shtml
      
      Do not contact either "psirt at cisco dot com" or "security-alert at cisco dot com"
      for software upgrades.
      
      Customers with Service Contracts
      +-------------------------------
      
      Customers with contracts should obtain upgraded software through
      their regular update channels. For most customers, this means that
      upgrades should be obtained through the Software Center on Cisco's
      worldwide website at http://www.cisco.com.
      
      Customers using Third Party Support Organizations
      +------------------------------------------------
      
      Customers whose Cisco products are provided or maintained through
      prior or existing agreement with third-party support organizations
      such as Cisco Partners, authorized resellers, or service providers
      should contact that support organization for guidance and assistance
      with the appropriate course of action in regards to this advisory.
      
      The effectiveness of any workaround or fix is dependent on specific
      customer situations such as product mix, network topology, traffic
      behavior, and organizational mission. Due to the variety of affected
      products and releases, customers should consult with their service
      provider or support organization to ensure any applied workaround or
      fix is the most appropriate for use in the intended network before it
      is deployed.
      
      Customers without Service Contracts
      +----------------------------------
      
      Customers who purchase direct from Cisco but who do not hold a Cisco
      service contract and customers who purchase through third-party
      vendors but are unsuccessful at obtaining fixed software through
      their point of sale should get their upgrades by contacting the Cisco
      Technical Assistance Center (TAC). TAC contacts are as follows.
      
        * +1 800 553 2447 (toll free from within North America)
        * +1 408 526 7209 (toll call from anywhere in the world)
        * e-mail: tac at cisco dot com
      
      Have your product serial number available and give the URL of this
      notice as evidence of your entitlement to a free upgrade. Free
      upgrades for non-contract customers must be requested through the
      TAC.
      
      Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
      for additional TAC contact information, including special localized
      telephone numbers and instructions and e-mail addresses for use in
      various languages.
      
      Exploitation and Public Announcements
      =====================================
      
      This issue was first reported to Cisco by a customer. Cisco PSIRT is
      seeing randomly generated traffic which may be unintentionally
      causing this issue to manifest.
      
      Status of this Notice: INTERIM
      ==============================
      
      THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
      KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
      MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
      INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
      AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
      DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
      INFORMATION BECOMES AVAILABLE.
      
      A stand-alone copy or Paraphrase of the text of this document that
      omits the distribution URL in the following section is an
      uncontrolled copy, and may lack important information or contain
      factual errors.
      
      Distribution
      ============
      
      This advisory is posted on Cisco's worldwide website at:
      
      http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
      
      In addition to worldwide web posting, a text version of this notice
      is clear-signed with the Cisco PSIRT PGP key and is posted to the
      following e-mail and Usenet news recipients.
      
        * cust-security-announce at cisco dot com
        * first-teams at first dot org
        * bugtraq at securityfocus dot com
        * vulnwatch at vulnwatch dot org
        * cisco at spot dot colorado dot edu
        * cisco-nsp at puck dot nether dot net
        * full-disclosure at lists.grok dot org dot uk
        * comp.dcom.sys.cisco at newsgate dot cisco dot com
      
      Future updates of this advisory, if any, will be placed on Cisco's
      worldwide website, but may or may not be actively announced on
      mailing lists or newsgroups. Users concerned about this problem are
      encouraged to check the above URL for any updates.
      
      Revision History
      =================
      
      +---------------------------------------+
      | Revision |                 | Initial  |
      | 1.0      | 2007-January-31 | public   |
      |          |                 | release  |
      +---------------------------------------+
      
      Cisco Security Procedures
      =========================
      
      Complete information on reporting security vulnerabilities in Cisco
      products, obtaining assistance with security incidents, and
      registering to receive security information from Cisco, is available
      on Cisco's worldwide website at
      http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
      This includes instructions for press inquiries regarding Cisco
      security notices.  All Cisco security advisories are available at
      http://www.cisco.com/go/psirt.
      
      - ---------------------------------------------------------------------
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.5 (Darwin)
      
      iD8DBQFFwGMG8NUAbBmDaxQRAlTmAKCRiz8v9q0ooRzpmx89W6HhITrUVwCZARsf
      mIdw8K1qQSI6UXkaxlUsXS8=
      =pSPg
      -----END PGP SIGNATURE-----