Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Cisco Security Advisory
Emergency Support:
+1 877 228 7302 (toll-free within North America)
+1 408 525 6532 (International direct-dial)
Non-emergency Support:
Email: psirt@cisco.com
Support requests that are received via e-mail are typically acknowledged within 48 hours.
Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
More information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
cisco-sa-20100922-sip
Final
1.1
2010-09-22T16:00:00
2012-09-21T19:16:00
TVCE
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP)
implementation in Cisco IOSĀ® Software that could
allow an unauthenticated, remote attacker to cause a reload of an affected
device when SIP operation is enabled.
Cisco has released software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP;
however, mitigations are available to limit exposure to the
vulnerabilities.
This advisory is posted at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip"].
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled
publication includes six Cisco Security Advisories. Five of the advisories
address vulnerabilities in Cisco IOS Software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each advisory lists
the releases that correct the vulnerability or vulnerabilities detailed in the
advisory. The table at the following URL lists releases that correct all Cisco
IOS Software vulnerabilities that have been published on September 22, 2010, or
earlier:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-bundle["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-bundle"]
Individual publication links are in "Cisco Event Response:
Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html["http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html"]
Cisco Unified Communications Manager (CUCM) is affected by the
vulnerabilities described in this advisory. Two separate Cisco Security
Advisories have been published to disclose the vulnerabilities that affect the
Cisco Unified Communications Manager at the following locations:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090826-cucm["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090826-cucm"]
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-cucmsip["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-cucmsip"]
These vulnerabilities only affect devices running Cisco IOS Software
with SIP voice services enabled.
Cisco devices are affected when they are running affected Cisco IOS
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP
messages by default. Creating a dial peer by issuing the dial-peer
voice command will start the SIP processes, causing the Cisco IOS
device to process SIP messages. In addition, several features within Cisco
Unified Communications Manager Express, such as ePhones, will also
automatically start the SIP process when they are configured, causing the
device to start processing SIP messages. An example of an affected
configuration follows:
dial-peer voice voip
...
!
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP
messages, administrators can also use the show processes | include
SIP command to determine whether Cisco IOS Software is running the
processes that handle SIP messages. In the following example, the presence of
the processes CCSIP_UDP_SOCKET or
CCSIP_TCP_SOCKET indicates that the Cisco IOS device will
process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
Note: Because there are several ways a device running Cisco IOS Software
can start processing SIP messages, it is recommended that the show
processes | include SIP command be used to determine whether the
device is processing SIP messages instead of relying on the presence of
specific configuration commands.
Cisco Unified Border Element images are also affected by two of these
vulnerabilities.
Note: The Cisco Unified Border Element feature (previously known as the
Cisco Multiservice IP-to-IP Gateway) is a special Cisco IOS Software image that
runs on Cisco multiservice gateway platforms. It provides a network-to-network
interface point for billing, security, call admission control, quality of
service, and signaling interworking.
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the show
version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying text
similar to "Cisco Internetwork Operating System Software" or "Cisco IOS
Software." The image name displays in parentheses, followed by "Version" and
the Cisco IOS Software release name. Other Cisco devices do not have the
show version command or may provide different output.
The following example identifies a Cisco product that is
running Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router# show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running Cisco
IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router# show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T,
RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide" at the
following link: http://www.cisco.com/warp/public/620/1.html["http://www.cisco.com/warp/public/620/1.html"].
Note: CUCM is affected by the vulnerabilities described in this advisory.
Two separate Cisco Security Advisories have been published to disclose the
vulnerabilities that affect the Cisco Unified Communications Manager at the
following locations:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090826-cucm["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090826-cucm"]
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-cucmsip["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-cucmsip"]
The SIP Application Layer Gateway (ALG), which is used by the Cisco IOS
NAT and firewall features of Cisco IOS Software, is not affected by these
vulnerabilities.
Cisco IOS XR Software is not affected by these
vulnerabilities.
No other Cisco products are currently known to be affected
by these vulnerabilities.
SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video are the
most popular types of sessions that SIP handles, but the protocol has the
flexibility to accommodate other applications that require call setup and
termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or
Transport Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
Three vulnerabilities exist in the SIP implementation in Cisco IOS
Software that may allow a remote attacker to cause an affected device to
reload. These vulnerabilities are triggered when the device running Cisco IOS
Software processes crafted SIP messages.
Note: In cases where SIP is running over TCP transport, a TCP three-way
handshake is necessary to exploit these vulnerabilities.
These vulnerabilities are addressed by Cisco bug IDs
CSCta20040
["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCta20040"]
(
registered["https://sec.cloudapps.cisco.comRPF/register/register.do"] customers only)
,
CSCsz43987
["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsz43987"]
(
registered["https://sec.cloudapps.cisco.comRPF/register/register.do"] customers only)
, and
CSCtf72678
["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtf72678"]
(
registered["https://sec.cloudapps.cisco.comRPF/register/register.do"] customers only)
, and have been assigned
Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-2835, CVE-2009-2051,
and CVE-2010-2834, respectively.
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and no workarounds are available. Users are advised to
apply mitigation techniques to help limit exposure to the vulnerabilities.
Mitigation consists of allowing only legitimate devices to connect to affected
devices. To increase effectiveness, the mitigation must be coupled with
anti-spoofing measures on the network edge. This action is required because SIP
can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the companion document "Cisco Applied Mitigation
Bulletin:Identifying and Mitigating Exploitation of the Multiple
Vulnerabilities in Cisco Voice Products", which is available at the following
location:https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice["https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice"].
Disabling SIP Listening Ports
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device. Some
versions of Cisco IOS Software allow administrators to disable SIP with the
following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning: When applying this workaround to devices that are processing Media
Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP
processing while active calls are being processed. Under these circumstances,
this workaround should be implemented during a maintenance window when active
calls can be briefly stopped.
The show udp connections, show tcp brief
all, and show processes | include SIP commands can be
used to confirm that the SIP UDP and TCP ports are closed after applying this
workaround.
Depending on the Cisco IOS Software version in use, the
output from the show ip sockets command may still show the SIP
ports open, but sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
Control Plane Policing
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted
sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T
support the CoPP feature. CoPP may be configured on a device to protect the
management and control planes to minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to specific network
configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible to
easily spoof the IP address of the sender, which may defeat access control
lists that permit communication to these ports from trusted IP
addresses.
In the above CoPP example, the access control entries (ACEs) that match
the potential exploit packets with the "permit" action result in these packets
being discarded by the policy-map "drop" function, while packets that match the
"deny" action (not shown) are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be
found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html["http://www.cisco.com/warp/public/707/"]
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html["http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html"].
When considering software upgrades, also consult
http://www.cisco.com/go/psirt["http://www.cisco.com/go/psirt"]
and any subsequent advisories to determine exposure and a complete upgrade
solution.
In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the following Cisco IOS Software table
corresponds to a Cisco IOS Software train. If a particular train is vulnerable,
the earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All Advisories in
the September 2010 Bundle Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco IOS
Software Security Advisory bundled publication. Cisco recommends upgrading to
the latest available release, where possible.
Major Release
Availability of Repaired
Releases
Affected 12.0-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
There are no affected 12.0-based releases
Affected 12.1-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
There are no affected 12.1-based releases
Affected 12.2-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
12.2
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2B
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
Releases up to and including 12.2(2)B7 are not
vulnerable.
12.2BC
Not Vulnerable
Not Vulnerable
12.2BW
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2BX
Not Vulnerable
Vulnerable; first fixed in 12.2SB["#12_2SB"]
Releases up to and including 12.2(15)BX are not
vulnerable.
12.2BY
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
Releases up to and including 12.2(2)BY3 are not
vulnerable.
12.2BZ
Not Vulnerable
Not Vulnerable
12.2CX
Not Vulnerable
Not Vulnerable
12.2CY
Not Vulnerable
Not Vulnerable
12.2CZ
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2DA
Not Vulnerable
Not Vulnerable
12.2DD
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2DX
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2EW
Not Vulnerable
Not Vulnerable
12.2EWA
Not Vulnerable
Not Vulnerable
12.2EX
Not Vulnerable
Not Vulnerable
12.2EY
Not Vulnerable
Not Vulnerable
12.2EZ
Not Vulnerable
Not Vulnerable
12.2FX
Not Vulnerable
Not Vulnerable
12.2FY
Not Vulnerable
Not Vulnerable
12.2FZ
Not Vulnerable
Not Vulnerable
12.2IRA
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IRB
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IRC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IRD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IRE
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXA
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXB
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXE
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXF
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXG
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2IXH
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2JA
Not Vulnerable
Not Vulnerable
12.2JK
Not Vulnerable
Not Vulnerable
12.2MB
Not Vulnerable
Not Vulnerable
12.2MC
Not Vulnerable
Releases up to and including 12.2(15)MC1 are not vulnerable.
Releases 12.2(15)MC2b and later are not vulnerable; first fixed in
12.4T["#12_4T"]
12.2MRA
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2MRB
Not Vulnerable
12.2(33)MRB2
12.2S
Not Vulnerable
Releases prior to 12.2(30)S are vulnerable, release 12.2(30)S and
later are not vulnerable
12.2SB
Not Vulnerable
12.2(31)SB19
Releases prior to 12.2(33)SB5 are vulnerable, release 12.2(33)SB5
and later are not vulnerable
12.2SBC
Not Vulnerable
Vulnerable; first fixed in 12.2SB["#12_2SB"]
12.2SCA
Not Vulnerable
Vulnerable; first fixed in 12.2SCB["#12_2SCB"]
12.2SCB
Not Vulnerable
12.2(33)SCB9
12.2SCC
Not Vulnerable
12.2(33)SCC5
12.2SCD
Not Vulnerable
12.2(33)SCD3
12.2SE
Not Vulnerable
Not Vulnerable
12.2SEA
Not Vulnerable
Not Vulnerable
12.2SEB
Not Vulnerable
Not Vulnerable
12.2SEC
Not Vulnerable
Not Vulnerable
12.2SED
Not Vulnerable
Not Vulnerable
12.2SEE
Not Vulnerable
Not Vulnerable
12.2SEF
Not Vulnerable
Not Vulnerable
12.2SEG
Not Vulnerable
Not Vulnerable
12.2SG
Not Vulnerable
Releases prior to 12.2(40)SG are vulnerable, release 12.2(40)SG
and later are not vulnerable; migrate to any release in 12.2SGA
12.2SGA
Not Vulnerable
Not Vulnerable
12.2SL
Not Vulnerable
Not Vulnerable
12.2SM
Not Vulnerable
Not Vulnerable
12.2SO
Not Vulnerable
Not Vulnerable
12.2SQ
Not Vulnerable
Not Vulnerable
12.2SRA
Not Vulnerable
Releases prior to 12.2(33)SRA6 are vulnerable, release
12.2(33)SRA6 and later are not vulnerable
12.2SRB
Not Vulnerable
Releases prior to 12.2(33)SRB1 are vulnerable, release
12.2(33)SRB1 and later are not vulnerable
12.2SRC
Not Vulnerable
Not Vulnerable
12.2SRD
Not Vulnerable
Not Vulnerable
12.2SRE
Not Vulnerable
12.2(33)SRE1
12.2STE
Not Vulnerable
Not Vulnerable
12.2SU
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2SV
Not Vulnerable
Releases prior to 12.2(29b)SV1 are vulnerable, release
12.2(29b)SV1 and later are not vulnerable; migrate to any release in
12.2SVD
12.2SVA
Not Vulnerable
Not Vulnerable
12.2SVC
Not Vulnerable
Not Vulnerable
12.2SVD
Not Vulnerable
Not Vulnerable
12.2SVE
Not Vulnerable
Not Vulnerable
12.2SW
Not Vulnerable
Releases up to and including 12.2(21)SW1 are not vulnerable.
Releases 12.2(25)SW12 and later are not vulnerable; first fixed in
12.4T["#12_4T"]
12.2SX
Not Vulnerable
Releases up to and including 12.2(14)SX2 are not
vulnerable.
12.2SXA
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2SXB
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2SXD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2SXE
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2SXF
Not Vulnerable
Releases prior to 12.2(18)SXF11 are vulnerable, release
12.2(18)SXF11 and later are not vulnerable
12.2SXH
Not Vulnerable
Not Vulnerable
12.2SXI
Not Vulnerable
Not Vulnerable
12.2SY
Vulnerable; migrate to any release in 12.2S
Not Vulnerable
12.2SZ
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2T
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2TPC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2XA
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XB
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XC
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XD
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XE
Not Vulnerable
Not Vulnerable
12.2XF
Not Vulnerable
Not Vulnerable
12.2XG
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XH
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XI
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XJ
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XK
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XL
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XM
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XN
Not Vulnerable
Vulnerable; first fixed in 12.2SB["#12_2SB"]
12.2XNA
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XNB
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XNC
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XND
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XNE
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XNF
Please see Cisco IOS-XE Software
Availability["#iosxe"]
Please see Cisco IOS-XE Software
Availability["#iosxe"]
12.2XO
Not Vulnerable
Not Vulnerable
12.2XQ
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XR
Not Vulnerable
Not Vulnerable
12.2XS
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XT
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XU
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XV
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2XW
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2YA
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2YB
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YE
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YF
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YG
Not Vulnerable
Not Vulnerable
12.2YH
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YJ
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YK
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YL
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YM
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2YN
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YO
Not Vulnerable
Not Vulnerable
12.2YP
Not Vulnerable
Not Vulnerable
12.2YQ
Not Vulnerable
Not Vulnerable
12.2YR
Not Vulnerable
Not Vulnerable
12.2YS
Not Vulnerable
Not Vulnerable
12.2YT
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YU
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YV
Not Vulnerable
Releases prior to 12.2(11)YV1 are vulnerable, release 12.2(11)YV1
and later are not vulnerable
12.2YW
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YX
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YY
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2YZ
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZA
Not Vulnerable
Not Vulnerable
12.2ZB
Not Vulnerable
Releases up to and including 12.2(8)ZB are not
vulnerable.
12.2ZC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZE
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2ZF
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2ZG
Not Vulnerable
Not Vulnerable
12.2ZH
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.2ZJ
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZL
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZP
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZU
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZX
Not Vulnerable
Not Vulnerable
12.2ZY
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.2ZYA
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Affected 12.3-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
12.3
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3B
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3BC
Not Vulnerable
Not Vulnerable
12.3BW
Not Vulnerable
Not Vulnerable
12.3EU
Not Vulnerable
Not Vulnerable
12.3JA
Not Vulnerable
Not Vulnerable
12.3JEA
Not Vulnerable
Not Vulnerable
12.3JEB
Not Vulnerable
Not Vulnerable
12.3JEC
Not Vulnerable
Not Vulnerable
12.3JED
Not Vulnerable
Not Vulnerable
12.3JK
Releases up to and including 12.3(2)JK3 are not
vulnerable.
Releases 12.3(8)JK1 and later are not vulnerable; first fixed in
12.4T["#12_4T"]
Releases up to and including 12.3(2)JK3 are not vulnerable.
Releases 12.3(8)JK1 and later are not vulnerable; first fixed in
12.4T["#12_4T"]
12.3JL
Not Vulnerable
Not Vulnerable
12.3JX
Not Vulnerable
Not Vulnerable
12.3T
Vulnerable; first fixed in 12.4T["#12_4T"]
Releases up to and including 12.3(4)T11 are not
vulnerable.
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3TPC
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.3VA
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XA
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XB
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.3XC
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XD
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XE
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XF
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.3XG
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XI
Releases prior to 12.3(7)XI11 are vulnerable, release 12.3(7)XI11
and later are not vulnerable
Releases prior to 12.3(7)XI11 are vulnerable, release 12.3(7)XI11
and later are not vulnerable; first fixed in 12.2SB["#12_2SB"]
12.3XJ
Vulnerable; migrate to any release in 12.4XN
Vulnerable; first fixed in 12.4XR["#12_4XR"]
12.3XK
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XL
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XQ
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XR
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XS
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XU
Vulnerable; first fixed in 12.4T["#12_4T"]
Releases up to and including 12.3(8)XU1 are not
vulnerable.
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XW
Vulnerable; migrate to any release in 12.4XN
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XX
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XY
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3XZ
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YA
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YD
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YF
Vulnerable; migrate to any release in 12.4XN
Vulnerable; first fixed in 12.4XR["#12_4XR"]
12.3YG
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YH
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YI
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YJ
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YK
Releases prior to 12.3(11)YK3 are vulnerable, release 12.3(11)YK3
and later are not vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YM
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YQ
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YS
Vulnerable; first fixed in 12.4T["#12_4T"]
Releases up to and including 12.3(11)YS1 are not
vulnerable.
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YT
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YU
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.3YX
Vulnerable; migrate to any release in 12.4XN
Vulnerable; first fixed in 12.4XR["#12_4XR"]
12.3YZ
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.3ZA
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
Affected 12.4-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
12.4
12.4(25d)
12.4(25d)
12.4GC
12.4(24)GC2
12.4(24)GC2
12.4JA
Not Vulnerable
Not Vulnerable
12.4JDA
Not Vulnerable
Not Vulnerable
12.4JDC
Not Vulnerable
Not Vulnerable
12.4JDD
Not Vulnerable
Not Vulnerable
12.4JHA
Not Vulnerable
Not Vulnerable
12.4JHB
Not Vulnerable
Not Vulnerable
12.4JK
Not Vulnerable
Not Vulnerable
12.4JL
Not Vulnerable
Not Vulnerable
12.4JMA
Not Vulnerable
Not Vulnerable
12.4JMB
Not Vulnerable
Not Vulnerable
12.4JX
Not Vulnerable
Not Vulnerable
12.4JY
Not Vulnerable
Not Vulnerable
12.4MD
Not Vulnerable
12.4(24)MD2
12.4MDA
Not Vulnerable
12.4(22)MDA4
12.4MR
Vulnerable; first fixed in 12.4MRA["#12_4MRA"]
Vulnerable; first fixed in 12.4MRA["#12_4MRA"]
12.4MRA
12.4(20)MRA1
12.4(20)MRA1
12.4SW
Not Vulnerable
Vulnerable; first fixed in 12.4T
12.4T
12.4(15)T14
12.4(24)T4
12.4(20)T6
12.4(15)T14
12.4(24)T4
12.4(20)T6
12.4XA
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XB
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XC
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XD
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XE
Releases prior to 12.4(6)XE5 are vulnerable, release 12.4(6)XE5
and later are not vulnerable; first fixed in 12.4T["#12_4T"]
Releases prior to 12.4(6)XE5 are vulnerable, release 12.4(6)XE5
and later are not vulnerable; first fixed in 12.4T["#12_4T"]
12.4XF
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XG
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XJ
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XK
Not Vulnerable
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XL
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4XM
Releases up to and including 12.4(15)XM are not
vulnerable.
Releases 12.4(15)XM3 and later are not vulnerable; first fixed in
12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XN
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4XP
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4XQ
Not Vulnerable
12.4(15)XQ6; Available on 22-SEP-10
12.4XR
Not Vulnerable
12.4(15)XR9
12.4(22)XR7
12.4XT
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XV
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4XW
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XY
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4XZ
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4YA
Vulnerable; first fixed in 12.4T["#12_4T"]
Vulnerable; first fixed in 12.4T["#12_4T"]
12.4YB
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4YD
Not Vulnerable
Vulnerable; Contact your support organization per the
instructions in Obtaining Fixed Software["#fixes"] section of
this advisory
12.4YE
Not Vulnerable
12.4(24)YE1
12.4YG
Not Vulnerable
12.4(24)YG3
Affected 15.0-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
15.0M
15.0(1)M3
15.0(1)M3
15.0S
Cisco 7600 and 10000 Series routers: Not Vulnerable
Cisco ASR 1000 Series routes: Please see Cisco
IOS-XE Software Availability["#iosxe"]
Cisco 7600 and 10000 Series routers: 15.0(1)S1 (available early
October 2010).
Cisco ASR 1000 Series routes: Please see Cisco
IOS-XE Software Availability["#iosxe"]
15.0XA
15.0(1)XA4
Vulnerable; first fixed in 15.1T["#15_1T"]
15.0XO
Not Vulnerable
Not Vulnerable
Affected 15.1-Based Releases
First Fixed Release for This
Advisory
First Fixed Release for All Advisories in the September
2010 Bundle Publication
15.1T
15.1(2)T0a
15.1(1)T1
15.1(2)T1
15.1XB
15.1(1)XB
Vulnerable; first fixed in 15.1T["#15_1T"]
Cisco IOS XE Software
Cisco IOS XE Release
First Fixed Release for This Advisory
First Fixed Release for All Advisories in the September 2010
Bundle Publication
2.1.x
Not Vulnerable
Not Vulnerable
2.2.x
Not Vulnerable
Not Vulnerable
2.3.x
Not Vulnerable
Not Vulnerable
2.4.x
Not Vulnerable
Not Vulnerable
2.5.x
Vulnerable; migrate to 2.6.2 or later
Vulnerable; migrate to 2.6.2 or later
2.6.x
2.6.1
2.6.2
3.1.xS
Not Vulnerable
Not Vulnerable
For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the
Cisco
IOS XE 2["http://www.cisco.com/en/US/docs/ios/ios_xe/2/release/notes/rnasr21.html#wp2310700"] and
Cisco
IOS XE 3S Release Notes["http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_sys_req.html#wp2999052"].
Cisco IOS XR System Software
Cisco IOS XR Software is not affected by the vulnerabilities disclosed
in the September 22, 2010, Cisco IOS Software Security Advisory bundled
publication.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy[https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered by Cisco during
internal testing.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Cisco IOS 12.3(11)T
Cisco IOS 12.3(7)T12
Cisco IOS 12.3(11)T11
Cisco IOS 12.3(11)T10
Cisco IOS 12.3(14)T7
Cisco IOS 12.3(14)T
Cisco IOS 12.3(8)T
Cisco IOS 12.3(7)T
Cisco IOS 12.3(8)T9
Cisco IOS 12.3(11)T2a
Cisco IOS 12.3(8)T6
Cisco IOS 12.3(14)T4
Cisco IOS 12.3(8)T2
Cisco IOS 12.3(11)T5
Cisco IOS 12.3(7)T3
Cisco IOS 12.3(8)T3
Cisco IOS 12.3(8)T7
Cisco IOS 12.3(11)T8
Cisco IOS 12.3(7)T2
Cisco IOS 12.3(8)T4
Cisco IOS 12.3(8)T8
Cisco IOS 12.3(14)T5
Cisco IOS 12.3(11)T3
Cisco IOS 12.3(8)T10
Cisco IOS 12.3(14)T2
Cisco IOS 12.3(7)T7
Cisco IOS 12.3(7)T10
Cisco IOS 12.3(7)T4
Cisco IOS 12.3(11)T6
Cisco IOS 12.3(7)T11
Cisco IOS 12.3(7)T5
Cisco IOS 12.3(14)T3
Cisco IOS 12.3(11)T4
Cisco IOS 12.3(7)T9
Cisco IOS 12.3(8)T11
Cisco IOS 12.3(11)T1
Cisco IOS 12.3(11)T9
Cisco IOS 12.3(7)T8
Cisco IOS 12.3(8)T5
Cisco IOS 12.3(14)T1
Cisco IOS 12.3(11)T2
Cisco IOS 12.3(7)T6
Cisco IOS 12.3(11)T7
Cisco IOS 12.3(7)T1
Cisco IOS 12.3(14)T6
Cisco IOS 12.3(11)T12
Cisco IOS 12.3(8)T1
Cisco IOS 12.3(4)XQ
Cisco IOS 12.3(4)XQ1
Cisco IOS 12.3(11)XL
Cisco IOS 12.3(7)XL
Cisco IOS 12.3(11)XL1
Cisco IOS 12.3(11)XL3
Cisco IOS 12.3(11)XL2
Cisco IOS 12.3(4)XK3
Cisco IOS 12.3(4)XK1
Cisco IOS 12.3(4)XK4
Cisco IOS 12.3(4)XK
Cisco IOS 12.3(4)XK2
Cisco IOS 12.3(7)XJ
Cisco IOS 12.3(7)XJ1
Cisco IOS 12.3(7)XJ2
Cisco IOS 12.3(7)XI
Cisco IOS 12.3(7)XI7
Cisco IOS 12.3(7)XI1
Cisco IOS 12.3(7)XI7a
Cisco IOS 12.3(7)XI2b
Cisco IOS 12.3(7)XI3a
Cisco IOS 12.3(7)XI3
Cisco IOS 12.3(7)XI6
Cisco IOS 12.3(7)XI2
Cisco IOS 12.3(7)XI5
Cisco IOS 12.3(4)XH
Cisco IOS 12.3(4)XH1
Cisco IOS 12.3(4)XG
Cisco IOS 12.3(4)XG3
Cisco IOS 12.3(4)XG1
Cisco IOS 12.3(4)XG4
Cisco IOS 12.3(4)XG2
Cisco IOS 12.3(4)XG5
Cisco IOS 12.3(2)XF
Cisco IOS 12.3(4)XD
Cisco IOS 12.3(4)XD4
Cisco IOS 12.3(4)XD1
Cisco IOS 12.3(4)XD3
Cisco IOS 12.3(4)XD2
Cisco IOS 12.3(7)XM
Cisco IOS 12.3(7)XR
Cisco IOS 12.3(7)XR4
Cisco IOS 12.3(7)XR3
Cisco IOS 12.3(7)XR5
Cisco IOS 12.3(7)XR6
Cisco IOS 12.3(7)XR7
Cisco IOS 12.3(8)XU5
Cisco IOS 12.3(8)XU2
Cisco IOS 12.3(8)XU4
Cisco IOS 12.3(8)XU3
Cisco IOS 12.3(8)XX
Cisco IOS 12.3(8)XX1
Cisco IOS 12.3(8)XW
Cisco IOS 12.3(8)XW2
Cisco IOS 12.3(8)XW3
Cisco IOS 12.3(8)XW1
Cisco IOS 12.3(8)XW1b
Cisco IOS 12.3(8)XW1a
Cisco IOS 12.3(8)XY
Cisco IOS 12.3(8)XY3
Cisco IOS 12.3(8)XY5
Cisco IOS 12.3(8)XY4
Cisco IOS 12.3(8)XY1
Cisco IOS 12.3(8)XY7
Cisco IOS 12.3(8)XY2
Cisco IOS 12.3(8)XY6
Cisco IOS 12.3(11)YF
Cisco IOS 12.3(11)YF2
Cisco IOS 12.3(11)YF3
Cisco IOS 12.3(11)YF4
Cisco IOS 12.3(11)YF1
Cisco IOS 12.3(8)YG
Cisco IOS 12.3(8)YG3
Cisco IOS 12.3(8)YG2
Cisco IOS 12.3(8)YG4
Cisco IOS 12.3(8)YC
Cisco IOS 12.3(8)YC2
Cisco IOS 12.3(8)YC3
Cisco IOS 12.3(8)YC1
Cisco IOS 12.3(11)YL
Cisco IOS 12.3(11)YL2
Cisco IOS 12.3(11)YL1
Cisco IOS 12.3(11)YK
Cisco IOS 12.3(11)YK1
Cisco IOS 12.3(11)YK2
Cisco IOS 12.3(11)JA2
Cisco IOS 12.3(14)YQ8
Cisco IOS 12.3(14)YQ
Cisco IOS 12.3(14)YQ5
Cisco IOS 12.3(14)YQ4
Cisco IOS 12.3(14)YQ7
Cisco IOS 12.3(14)YQ1
Cisco IOS 12.3(14)YQ6
Cisco IOS 12.3(14)YQ3
Cisco IOS 12.3(14)YQ2
Cisco IOS 12.3(11)YR
Cisco IOS 12.3(11)YR1
Cisco IOS 12.4(3e)
Cisco IOS 12.4(7b)
Cisco IOS 12.4(8)
Cisco IOS 12.4(5b)
Cisco IOS 12.4(7a)
Cisco IOS 12.4(3d)
Cisco IOS 12.4(1)
Cisco IOS 12.4(1a)
Cisco IOS 12.4(1b)
Cisco IOS 12.4(1c)
Cisco IOS 12.4(10)
Cisco IOS 12.4(3)
Cisco IOS 12.4(3a)
Cisco IOS 12.4(3b)
Cisco IOS 12.4(3c)
Cisco IOS 12.4(3f)
Cisco IOS 12.4(5)
Cisco IOS 12.4(5a)
Cisco IOS 12.4(7c)
Cisco IOS 12.4(7)
Cisco IOS 12.4(8a)
Cisco IOS 12.4(8b)
Cisco IOS 12.4(7d)
Cisco IOS 12.4(3g)
Cisco IOS 12.4(8c)
Cisco IOS 12.4(10b)
Cisco IOS 12.4(12)
Cisco IOS 12.4(12a)
Cisco IOS 12.4(12b)
Cisco IOS 12.4(13)
Cisco IOS 12.4(13a)
Cisco IOS 12.4(13b)
Cisco IOS 12.4(13c)
Cisco IOS 12.4(7e)
Cisco IOS 12.4(17)
Cisco IOS 12.4(18b)
Cisco IOS 12.4(18e)
Cisco IOS 12.4(3i)
Cisco IOS 12.4(3j)
Cisco IOS 12.4(23b)
Cisco IOS 12.4(3h)
Cisco IOS 12.4(7h)
Cisco IOS 12.4(25a)
Cisco IOS 12.4(23d)
Cisco IOS 12.4(16)
Cisco IOS 12.4(13d)
Cisco IOS 12.4(25)
Cisco IOS 12.4(25c)
Cisco IOS 12.4(18d)
Cisco IOS 12.4(19)
Cisco IOS 12.4(13e)
Cisco IOS 12.4(25b)
Cisco IOS 12.4(23)
Cisco IOS 12.4(10c)
Cisco IOS 12.4(21)
Cisco IOS 12.4(16b)
Cisco IOS 12.4(19b)
Cisco IOS 12.4(16a)
Cisco IOS 12.4(23a)
Cisco IOS 12.4(23c)
Cisco IOS 12.4(7f)
Cisco IOS 12.4(18)
Cisco IOS 12.4(21a)
Cisco IOS 12.4(13f)
Cisco IOS 12.4(18c)
Cisco IOS 12.4(5c)
Cisco IOS 12.4(8d)
Cisco IOS 12.4(12c)
Cisco IOS 12.4(17a)
Cisco IOS 12.4(18a)
Cisco IOS 12.4(17b)
Cisco IOS 12.4(7g)
Cisco IOS 12.3(8)JK
Cisco IOS 12.3(14)YU
Cisco IOS 12.3(14)YU1
Cisco IOS 12.4(6)MR1
Cisco IOS 12.4(11)MR
Cisco IOS 12.4(2)MR
Cisco IOS 12.4(4)MR
Cisco IOS 12.4(6)MR
Cisco IOS 12.4(9)MR
Cisco IOS 12.4(12)MR
Cisco IOS 12.4(16)MR
Cisco IOS 12.4(16)MR1
Cisco IOS 12.4(19)MR2
Cisco IOS 12.4(19)MR1
Cisco IOS 12.4(19)MR
Cisco IOS 12.4(20)MR
Cisco IOS 12.4(4)MR1
Cisco IOS 12.4(19)MR3
Cisco IOS 12.4(12)MR1
Cisco IOS 12.4(20)MR2
Cisco IOS 12.4(16)MR2
Cisco IOS 12.4(12)MR2
Cisco IOS 12.4(2)MR1
Cisco IOS 12.4(20)MR1
Cisco IOS 12.4(4)T
Cisco IOS 12.4(4)T1
Cisco IOS 12.4(4)T2
Cisco IOS 12.4(4)T3
Cisco IOS 12.4(6)T
Cisco IOS 12.4(6)T1
Cisco IOS 12.4(6)T2
Cisco IOS 12.4(9)T
Cisco IOS 12.4(4)T4
Cisco IOS 12.4(2)T5
Cisco IOS 12.4(6)T3
Cisco IOS 12.4(2)T
Cisco IOS 12.4(11)T
Cisco IOS 12.4(15)T
Cisco IOS 12.4(20)T
Cisco IOS 12.4(24)T
Cisco IOS 12.4(24)T3
Cisco IOS 12.4(4)T8
Cisco IOS 12.4(20)T1
Cisco IOS 12.4(22)T1
Cisco IOS 12.4(15)T9
Cisco IOS 12.4(11)T4
Cisco IOS 12.4(15)T8
Cisco IOS 12.4(6)T5
Cisco IOS 12.4(15)T2
Cisco IOS 12.4(6)T8
Cisco IOS 12.4(15)T12
Cisco IOS 12.4(6)T11
Cisco IOS 12.4(9)T5
Cisco IOS 12.4(20)T3
Cisco IOS 12.4(6)T4
Cisco IOS 12.4(4)T6
Cisco IOS 12.4(22)T
Cisco IOS 12.4(15)T6a
Cisco IOS 12.4(9)T3
Cisco IOS 12.4(6)T7
Cisco IOS 12.4(15)T13
Cisco IOS 12.4(6)T10
Cisco IOS 12.4(15)T3
Cisco IOS 12.4(24)T2
Cisco IOS 12.4(22)T5
Cisco IOS 12.4(2)T3
Cisco IOS 12.4(15)T10
Cisco IOS 12.4(22)T4
Cisco IOS 12.4(20)T5
Cisco IOS 12.4(9)T6
Cisco IOS 12.4(15)T4
Cisco IOS 12.4(2)T4
Cisco IOS 12.4(24)T1
Cisco IOS 12.4(9)T4
Cisco IOS 12.4(22)T3
Cisco IOS 12.4(9)T1
Cisco IOS 12.4(6)T9
Cisco IOS 12.4(6)T12
Cisco IOS 12.4(20)T5a
Cisco IOS 12.4(15)T5
Cisco IOS 12.4(4)T7
Cisco IOS 12.4(20)T2
Cisco IOS 12.4(2)T1
Cisco IOS 12.4(11)T1
Cisco IOS 12.4(15)T11
Cisco IOS 12.4(2)T6
Cisco IOS 12.4(9)T0a
Cisco IOS 12.4(2)T2
Cisco IOS 12.4(15)T7
Cisco IOS 12.4(11)T2
Cisco IOS 12.4(9)T7
Cisco IOS 12.4(11)T3
Cisco IOS 12.4(15)T6
Cisco IOS 12.4(15)T1
Cisco IOS 12.4(9)T2
Cisco IOS 12.4(6)T6
Cisco IOS 12.4(22)T2
Cisco IOS 12.4(4)T5
Cisco IOS 12.4(20)T4
Cisco IOS 12.3(14)YT
Cisco IOS 12.3(14)YT1
Cisco IOS 12.3(11)JX
Cisco IOS 12.3(7)JX9
Cisco IOS 12.3(11)JX1
Cisco IOS 12.4(2)XB
Cisco IOS 12.4(2)XB1
Cisco IOS 12.4(2)XB6
Cisco IOS 12.4(2)XB7
Cisco IOS 12.4(2)XB11
Cisco IOS 12.4(2)XB3
Cisco IOS 12.4(2)XB9
Cisco IOS 12.4(2)XB8
Cisco IOS 12.4(2)XB2
Cisco IOS 12.4(2)XB10
Cisco IOS 12.4(2)XB4
Cisco IOS 12.4(2)XB5
Cisco IOS 12.4(2)XA
Cisco IOS 12.4(2)XA1
Cisco IOS 12.4(2)XA2
Cisco IOS 12.3(14)YM8
Cisco IOS 12.3(14)YM12
Cisco IOS 12.3(14)YM4
Cisco IOS 12.3(14)YM3
Cisco IOS 12.3(14)YM7
Cisco IOS 12.3(14)YM1
Cisco IOS 12.3(14)YM11
Cisco IOS 12.3(14)YM9
Cisco IOS 12.3(14)YM6
Cisco IOS 12.3(14)YM10
Cisco IOS 12.3(14)YM13
Cisco IOS 12.3(14)YM5
Cisco IOS 12.3(14)YM2
Cisco IOS 12.4(4)XC
Cisco IOS 12.4(4)XC1
Cisco IOS 12.4(4)XC5
Cisco IOS 12.4(4)XC7
Cisco IOS 12.4(4)XC3
Cisco IOS 12.4(4)XC4
Cisco IOS 12.4(4)XC2
Cisco IOS 12.4(4)XC6
Cisco IOS 12.4(4)XD
Cisco IOS 12.4(4)XD4
Cisco IOS 12.4(4)XD10
Cisco IOS 12.4(4)XD6
Cisco IOS 12.4(4)XD12
Cisco IOS 12.4(4)XD2
Cisco IOS 12.4(4)XD8
Cisco IOS 12.4(4)XD11
Cisco IOS 12.4(4)XD1
Cisco IOS 12.4(4)XD5
Cisco IOS 12.4(4)XD7
Cisco IOS 12.4(4)XD3
Cisco IOS 12.4(4)XD9
Cisco IOS 12.4(6)XE
Cisco IOS 12.4(6)XE2
Cisco IOS 12.4(6)XE1
Cisco IOS 12.3(11)YZ1
Cisco IOS 12.3(11)YZ
Cisco IOS 12.3(11)YZ2
Cisco IOS 12.4(11)XJ
Cisco IOS 12.4(11)XJ1
Cisco IOS 12.4(11)XJ3
Cisco IOS 12.4(11)XJ6
Cisco IOS 12.4(11)XJ2
Cisco IOS 12.4(11)XJ5
Cisco IOS 12.4(11)XJ4
Cisco IOS 12.4(6)XT
Cisco IOS 12.4(6)XT1
Cisco IOS 12.4(6)XT2
Cisco IOS 12.4(6)XP
Cisco IOS 12.4(11)MD2
Cisco IOS 12.4(11)XV
Cisco IOS 12.4(11)XV1
Cisco IOS 12.4(11)XW
Cisco IOS 12.4(11)XW3
Cisco IOS 12.4(11)XW7
Cisco IOS 12.4(11)XW10
Cisco IOS 12.4(11)XW8
Cisco IOS 12.4(11)XW9
Cisco IOS 12.4(11)XW6
Cisco IOS 12.4(11)XW4
Cisco IOS 12.4(11)XW1
Cisco IOS 12.4(11)XW5
Cisco IOS 12.4(11)XW2
Cisco IOS 12.4(15)XY4
Cisco IOS 12.4(15)XY5
Cisco IOS 12.4(15)XY1
Cisco IOS 12.4(15)XY
Cisco IOS 12.4(15)XY2
Cisco IOS 12.4(15)XY3
Cisco IOS 12.4(15)XZ
Cisco IOS 12.4(15)XZ2
Cisco IOS 12.4(15)XZ1
Cisco IOS 12.4(15)XL3
Cisco IOS 12.4(15)XL1
Cisco IOS 12.4(15)XL2
Cisco IOS 12.4(15)XL4
Cisco IOS 12.4(15)XL5
Cisco IOS 12.4(15)XL
Cisco IOS 12.3(8)ZA
Cisco IOS 12.3(8)ZA1
Cisco IOS 12.3(11)ZB
Cisco IOS 12.3(11)ZB1
Cisco IOS 12.3(11)ZB2
Cisco IOS 12.4(15)XM1
Cisco IOS 12.4(15)XM2
Cisco IOS 12.4(23c)JY
Cisco IOS 15.0(1)M1
Cisco IOS 15.0(1)M2
Cisco IOS 15.0(1)M
Cisco IOS 15.0(1)XA2
Cisco IOS 15.0(1)XA1
Cisco IOS 15.0(1)XA3
Cisco IOS 15.0(1)XA
Cisco IOS 15.1(1)T
Cisco IOS 15.1(1)XB
Cisco IOS 15.1(1)XB1
Cisco IOS 12.4(21a)M1
Cisco IOS 12.4(23b)M1
Cisco IOS 12.4(5a)M0
Cisco Unified Communications Manager
Cisco IOS XE Software
Cisco IOS Software and Unified Communications Manager SIP Packet Processing Denial of Service Vulnerability
CSCta20040
CSCta20040,CSCtf72678
Complete.
CVE-2010-2835
CVRFPID-103543
CVRFPID-103595
CVRFPID-103631
CVRFPID-103946
CVRFPID-104165
CVRFPID-104345
CVRFPID-104422
CVRFPID-104546
CVRFPID-104570
CVRFPID-104734
CVRFPID-104810
CVRFPID-105069
CVRFPID-105203
CVRFPID-105388
CVRFPID-105401
CVRFPID-105554
CVRFPID-105631
CVRFPID-105638
CVRFPID-105745
CVRFPID-105802
CVRFPID-105848
CVRFPID-105889
CVRFPID-105906
CVRFPID-106082
CVRFPID-106271
CVRFPID-106499
CVRFPID-106510
CVRFPID-106730
CVRFPID-106740
CVRFPID-106839
CVRFPID-107048
CVRFPID-107433
CVRFPID-107524
CVRFPID-107550
CVRFPID-107573
CVRFPID-107659
CVRFPID-230964
CVRFPID-81746
CVRFPID-92384
CVRFPID-99645
CVRFPID-99647
CVRFPID-88444
CVRFPID-93036
7.8
6.4
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND
CVRFPID-88444
CVRFPID-93036
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and no workarounds are available. Users are advised to
apply mitigation techniques to help limit exposure to the vulnerabilities.
Mitigation consists of allowing only legitimate devices to connect to affected
devices. To increase effectiveness, the mitigation must be coupled with
anti-spoofing measures on the network edge. This action is required because SIP
can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the companion document "Cisco Applied Mitigation
Bulletin:Identifying and Mitigating Exploitation of the Multiple
Vulnerabilities in Cisco Voice Products", which is available at the following
location:https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice["https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice"].
Disabling SIP Listening Ports
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device. Some
versions of Cisco IOS Software allow administrators to disable SIP with the
following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning: When applying this workaround to devices that are processing Media
Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP
processing while active calls are being processed. Under these circumstances,
this workaround should be implemented during a maintenance window when active
calls can be briefly stopped.
The show udp connections, show tcp brief
all, and show processes | include SIP commands can be
used to confirm that the SIP UDP and TCP ports are closed after applying this
workaround.
Depending on the Cisco IOS Software version in use, the
output from the show ip sockets command may still show the SIP
ports open, but sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
Control Plane Policing
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted
sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T
support the CoPP feature. CoPP may be configured on a device to protect the
management and control planes to minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to specific network
configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible to
easily spoof the IP address of the sender, which may defeat access control
lists that permit communication to these ports from trusted IP
addresses.
In the above CoPP example, the access control entries (ACEs) that match
the potential exploit packets with the "permit" action result in these packets
being discarded by the policy-map "drop" function, while packets that match the
"deny" action (not shown) are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be
found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html["http://www.cisco.com/warp/public/707/"]
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html["http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html"].
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Cisco IOS Software and Unified Communications Manager SIP Packet Processing Denial of Service Vulnerability
CSCta20040
CSCta20040,CSCtf72678
Complete.
CVE-2010-2834
CVRFPID-103543
CVRFPID-103595
CVRFPID-103631
CVRFPID-103946
CVRFPID-104165
CVRFPID-104345
CVRFPID-104422
CVRFPID-104546
CVRFPID-104570
CVRFPID-104734
CVRFPID-104810
CVRFPID-105069
CVRFPID-105203
CVRFPID-105388
CVRFPID-105401
CVRFPID-105554
CVRFPID-105631
CVRFPID-105638
CVRFPID-105745
CVRFPID-105802
CVRFPID-105848
CVRFPID-105889
CVRFPID-105906
CVRFPID-106082
CVRFPID-106271
CVRFPID-106499
CVRFPID-106510
CVRFPID-106730
CVRFPID-106740
CVRFPID-106839
CVRFPID-107048
CVRFPID-107433
CVRFPID-107524
CVRFPID-107550
CVRFPID-107573
CVRFPID-107659
CVRFPID-230964
CVRFPID-81746
CVRFPID-92384
CVRFPID-99645
CVRFPID-99647
CVRFPID-88444
CVRFPID-93036
7.8
6.4
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND
CVRFPID-88444
CVRFPID-93036
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and no workarounds are available. Users are advised to
apply mitigation techniques to help limit exposure to the vulnerabilities.
Mitigation consists of allowing only legitimate devices to connect to affected
devices. To increase effectiveness, the mitigation must be coupled with
anti-spoofing measures on the network edge. This action is required because SIP
can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the companion document "Cisco Applied Mitigation
Bulletin:Identifying and Mitigating Exploitation of the Multiple
Vulnerabilities in Cisco Voice Products", which is available at the following
location:https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice["https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice"].
Disabling SIP Listening Ports
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device. Some
versions of Cisco IOS Software allow administrators to disable SIP with the
following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning: When applying this workaround to devices that are processing Media
Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP
processing while active calls are being processed. Under these circumstances,
this workaround should be implemented during a maintenance window when active
calls can be briefly stopped.
The show udp connections, show tcp brief
all, and show processes | include SIP commands can be
used to confirm that the SIP UDP and TCP ports are closed after applying this
workaround.
Depending on the Cisco IOS Software version in use, the
output from the show ip sockets command may still show the SIP
ports open, but sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
Control Plane Policing
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted
sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T
support the CoPP feature. CoPP may be configured on a device to protect the
management and control planes to minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to specific network
configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible to
easily spoof the IP address of the sender, which may defeat access control
lists that permit communication to these ports from trusted IP
addresses.
In the above CoPP example, the access control entries (ACEs) that match
the potential exploit packets with the "permit" action result in these packets
being discarded by the policy-map "drop" function, while packets that match the
"deny" action (not shown) are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be
found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html["http://www.cisco.com/warp/public/707/"]
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html["http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html"].
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Cisco Unified Communications Manager SIP INVITE Remote Denial of Service Vulnerability
CSCsz43987
CSCsz43987,CSCta20040,CSCtf72678
Complete.
CVE-2009-2051
CVRFPID-103494
CVRFPID-103502
CVRFPID-103503
CVRFPID-103527
CVRFPID-103531
CVRFPID-103543
CVRFPID-103564
CVRFPID-103573
CVRFPID-103575
CVRFPID-103595
CVRFPID-103604
CVRFPID-103605
CVRFPID-103631
CVRFPID-103638
CVRFPID-103639
CVRFPID-103650
CVRFPID-103674
CVRFPID-103715
CVRFPID-103735
CVRFPID-103773
CVRFPID-103777
CVRFPID-103815
CVRFPID-103843
CVRFPID-103862
CVRFPID-103869
CVRFPID-103886
CVRFPID-103889
CVRFPID-103907
CVRFPID-103926
CVRFPID-103946
CVRFPID-103949
CVRFPID-103953
CVRFPID-103962
CVRFPID-103968
CVRFPID-104006
CVRFPID-104019
CVRFPID-104048
CVRFPID-104083
CVRFPID-104116
CVRFPID-104125
CVRFPID-104134
CVRFPID-104136
CVRFPID-104138
CVRFPID-104165
CVRFPID-104179
CVRFPID-104190
CVRFPID-104198
CVRFPID-104208
CVRFPID-104212
CVRFPID-104247
CVRFPID-104248
CVRFPID-104266
CVRFPID-104273
CVRFPID-104304
CVRFPID-104345
CVRFPID-104369
CVRFPID-104378
CVRFPID-104381
CVRFPID-104386
CVRFPID-104422
CVRFPID-104423
CVRFPID-104445
CVRFPID-104448
CVRFPID-104473
CVRFPID-104474
CVRFPID-104481
CVRFPID-104487
CVRFPID-104500
CVRFPID-104514
CVRFPID-104523
CVRFPID-104533
CVRFPID-104534
CVRFPID-104546
CVRFPID-104570
CVRFPID-104587
CVRFPID-104612
CVRFPID-104640
CVRFPID-104657
CVRFPID-104670
CVRFPID-104673
CVRFPID-104677
CVRFPID-104692
CVRFPID-104734
CVRFPID-104758
CVRFPID-104777
CVRFPID-104788
CVRFPID-104802
CVRFPID-104807
CVRFPID-104810
CVRFPID-104839
CVRFPID-104844
CVRFPID-104851
CVRFPID-104854
CVRFPID-104876
CVRFPID-104878
CVRFPID-104909
CVRFPID-104916
CVRFPID-104955
CVRFPID-104979
CVRFPID-104980
CVRFPID-105022
CVRFPID-105034
CVRFPID-105060
CVRFPID-105067
CVRFPID-105069
CVRFPID-105076
CVRFPID-105092
CVRFPID-105113
CVRFPID-105116
CVRFPID-105118
CVRFPID-105120
CVRFPID-105144
CVRFPID-105150
CVRFPID-105162
CVRFPID-105174
CVRFPID-105179
CVRFPID-105193
CVRFPID-105203
CVRFPID-105205
CVRFPID-105271
CVRFPID-105272
CVRFPID-105305
CVRFPID-105337
CVRFPID-105348
CVRFPID-105358
CVRFPID-105369
CVRFPID-105376
CVRFPID-105388
CVRFPID-105391
CVRFPID-105393
CVRFPID-105401
CVRFPID-105402
CVRFPID-105434
CVRFPID-105463
CVRFPID-105469
CVRFPID-105471
CVRFPID-105480
CVRFPID-105481
CVRFPID-105484
CVRFPID-105497
CVRFPID-105503
CVRFPID-105523
CVRFPID-105532
CVRFPID-105554
CVRFPID-105571
CVRFPID-105585
CVRFPID-105594
CVRFPID-105595
CVRFPID-105598
CVRFPID-105631
CVRFPID-105635
CVRFPID-105637
CVRFPID-105638
CVRFPID-105647
CVRFPID-105662
CVRFPID-105707
CVRFPID-105716
CVRFPID-105720
CVRFPID-105743
CVRFPID-105745
CVRFPID-105748
CVRFPID-105754
CVRFPID-105763
CVRFPID-105766
CVRFPID-105797
CVRFPID-105802
CVRFPID-105808
CVRFPID-105841
CVRFPID-105843
CVRFPID-105844
CVRFPID-105848
CVRFPID-105889
CVRFPID-105906
CVRFPID-105911
CVRFPID-105918
CVRFPID-105930
CVRFPID-105933
CVRFPID-105958
CVRFPID-105964
CVRFPID-106011
CVRFPID-106017
CVRFPID-106027
CVRFPID-106056
CVRFPID-106057
CVRFPID-106060
CVRFPID-106062
CVRFPID-106081
CVRFPID-106082
CVRFPID-106091
CVRFPID-106092
CVRFPID-106094
CVRFPID-106096
CVRFPID-106100
CVRFPID-106101
CVRFPID-106125
CVRFPID-106141
CVRFPID-106147
CVRFPID-106148
CVRFPID-106170
CVRFPID-106179
CVRFPID-106214
CVRFPID-106250
CVRFPID-106271
CVRFPID-106296
CVRFPID-106304
CVRFPID-106312
CVRFPID-106324
CVRFPID-106340
CVRFPID-106381
CVRFPID-106385
CVRFPID-106387
CVRFPID-106391
CVRFPID-106419
CVRFPID-106421
CVRFPID-106428
CVRFPID-106433
CVRFPID-106434
CVRFPID-106437
CVRFPID-106461
CVRFPID-106469
CVRFPID-106499
CVRFPID-106510
CVRFPID-106527
CVRFPID-106531
CVRFPID-106553
CVRFPID-106554
CVRFPID-106569
CVRFPID-106582
CVRFPID-106609
CVRFPID-106612
CVRFPID-106630
CVRFPID-106653
CVRFPID-106672
CVRFPID-106680
CVRFPID-106696
CVRFPID-106713
CVRFPID-106716
CVRFPID-106730
CVRFPID-106740
CVRFPID-106745
CVRFPID-106751
CVRFPID-106756
CVRFPID-106757
CVRFPID-106773
CVRFPID-106786
CVRFPID-106790
CVRFPID-106793
CVRFPID-106819
CVRFPID-106835
CVRFPID-106839
CVRFPID-106867
CVRFPID-106872
CVRFPID-106884
CVRFPID-106895
CVRFPID-106896
CVRFPID-106924
CVRFPID-106945
CVRFPID-106956
CVRFPID-106962
CVRFPID-106963
CVRFPID-106969
CVRFPID-106974
CVRFPID-106983
CVRFPID-106998
CVRFPID-107012
CVRFPID-107014
CVRFPID-107048
CVRFPID-107066
CVRFPID-107075
CVRFPID-107081
CVRFPID-107099
CVRFPID-107104
CVRFPID-107136
CVRFPID-107139
CVRFPID-107157
CVRFPID-107160
CVRFPID-107163
CVRFPID-107169
CVRFPID-107173
CVRFPID-107218
CVRFPID-107238
CVRFPID-107270
CVRFPID-107277
CVRFPID-107295
CVRFPID-107299
CVRFPID-107307
CVRFPID-107314
CVRFPID-107329
CVRFPID-107367
CVRFPID-107379
CVRFPID-107382
CVRFPID-107392
CVRFPID-107393
CVRFPID-107394
CVRFPID-107397
CVRFPID-107428
CVRFPID-107433
CVRFPID-107434
CVRFPID-107438
CVRFPID-107464
CVRFPID-107524
CVRFPID-107536
CVRFPID-107542
CVRFPID-107550
CVRFPID-107558
CVRFPID-107559
CVRFPID-107566
CVRFPID-107573
CVRFPID-107575
CVRFPID-107582
CVRFPID-107596
CVRFPID-107597
CVRFPID-107603
CVRFPID-107608
CVRFPID-107640
CVRFPID-107659
CVRFPID-107671
CVRFPID-107693
CVRFPID-107733
CVRFPID-107747
CVRFPID-107764
CVRFPID-107775
CVRFPID-107845
CVRFPID-107848
CVRFPID-111406
CVRFPID-230964
CVRFPID-58331
CVRFPID-59292
CVRFPID-59293
CVRFPID-59294
CVRFPID-59295
CVRFPID-59296
CVRFPID-59297
CVRFPID-59298
CVRFPID-59299
CVRFPID-62555
CVRFPID-62570
CVRFPID-62571
CVRFPID-62573
CVRFPID-62574
CVRFPID-62575
CVRFPID-62576
CVRFPID-62603
CVRFPID-62614
CVRFPID-62616
CVRFPID-62617
CVRFPID-62618
CVRFPID-62619
CVRFPID-62622
CVRFPID-62623
CVRFPID-62625
CVRFPID-62626
CVRFPID-63189
CVRFPID-63194
CVRFPID-63196
CVRFPID-63197
CVRFPID-63198
CVRFPID-63204
CVRFPID-63378
CVRFPID-63379
CVRFPID-63380
CVRFPID-63381
CVRFPID-63384
CVRFPID-63385
CVRFPID-63386
CVRFPID-63499
CVRFPID-63501
CVRFPID-65434
CVRFPID-65435
CVRFPID-65437
CVRFPID-65439
CVRFPID-65440
CVRFPID-65453
CVRFPID-65454
CVRFPID-65455
CVRFPID-65471
CVRFPID-65490
CVRFPID-65509
CVRFPID-65510
CVRFPID-65511
CVRFPID-65513
CVRFPID-65514
CVRFPID-65517
CVRFPID-65520
CVRFPID-65527
CVRFPID-65528
CVRFPID-65529
CVRFPID-65530
CVRFPID-65532
CVRFPID-65536
CVRFPID-65538
CVRFPID-65539
CVRFPID-65541
CVRFPID-65542
CVRFPID-65543
CVRFPID-65544
CVRFPID-65545
CVRFPID-65546
CVRFPID-65548
CVRFPID-65549
CVRFPID-65551
CVRFPID-65552
CVRFPID-65554
CVRFPID-65555
CVRFPID-65557
CVRFPID-65559
CVRFPID-65560
CVRFPID-65561
CVRFPID-65562
CVRFPID-65563
CVRFPID-65899
CVRFPID-66054
CVRFPID-66055
CVRFPID-66056
CVRFPID-66058
CVRFPID-66062
CVRFPID-66207
CVRFPID-66213
CVRFPID-66328
CVRFPID-69755
CVRFPID-69756
CVRFPID-69757
CVRFPID-69758
CVRFPID-69759
CVRFPID-69760
CVRFPID-69761
CVRFPID-69762
CVRFPID-69763
CVRFPID-69764
CVRFPID-69776
CVRFPID-81746
CVRFPID-83374
CVRFPID-83376
CVRFPID-92384
CVRFPID-99645
CVRFPID-99647
CVRFPID-88444
CVRFPID-93036
7.8
6.4
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND
CVRFPID-88444
CVRFPID-93036
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and no workarounds are available. Users are advised to
apply mitigation techniques to help limit exposure to the vulnerabilities.
Mitigation consists of allowing only legitimate devices to connect to affected
devices. To increase effectiveness, the mitigation must be coupled with
anti-spoofing measures on the network edge. This action is required because SIP
can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the companion document "Cisco Applied Mitigation
Bulletin:Identifying and Mitigating Exploitation of the Multiple
Vulnerabilities in Cisco Voice Products", which is available at the following
location:https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice["https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100922-voice"].
Disabling SIP Listening Ports
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device. Some
versions of Cisco IOS Software allow administrators to disable SIP with the
following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning: When applying this workaround to devices that are processing Media
Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP
processing while active calls are being processed. Under these circumstances,
this workaround should be implemented during a maintenance window when active
calls can be briefly stopped.
The show udp connections, show tcp brief
all, and show processes | include SIP commands can be
used to confirm that the SIP UDP and TCP ports are closed after applying this
workaround.
Depending on the Cisco IOS Software version in use, the
output from the show ip sockets command may still show the SIP
ports open, but sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
Control Plane Policing
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted
sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T
support the CoPP feature. CoPP may be configured on a device to protect the
management and control planes to minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to specific network
configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible to
easily spoof the IP address of the sender, which may defeat access control
lists that permit communication to these ports from trusted IP
addresses.
In the above CoPP example, the access control entries (ACEs) that match
the potential exploit packets with the "permit" action result in these packets
being discarded by the policy-map "drop" function, while packets that match the
"deny" action (not shown) are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be
found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html["http://www.cisco.com/warp/public/707/"]
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html["http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html"].
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities