|
Cisco Session Initiation Protocol DoS
|
|
Secunia Advisory:
|
SA8113
|
|
|
Release Date:
|
2003-02-22
|
|
Last Update:
|
2005-09-27
|
|
Popularity:
|
8,630 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Cisco IOS 12.x
Cisco IOS R12.x
Cisco PIX 5.x
Cisco PIX 6.x
|
|
| Software: | Cisco IP Phone 7940
Cisco IP Phones 7960
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Cisco has confirmed vulnerabilities in their SIP (Session Initiation Protocol) implementation in multiple products. These can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable device.
The vulnerabilities have been identified in the INVITE message used by two SIP-endpoints during the initial call setup. Cisco has reported the existance of the following vulnerabilities in affected products:
Cisco IP Phone models 7940 and 7960:
The vulnerabilities are caused by boundary errors and exceptional condition errors when handling malformed headers. According to Cisco these vulnerabilities may be exploited by a malicious person to cause a DoS (Denial of Service).
Cisco IOS versions in the 12.2T train or any 12.2 'X' train:
The vulnerabilities are caused by improper handling of SIP fields and can be exploited to force a vulnerable device to reset. The device must either be configured as a SIP gateway or perform NAT (Network Address Translation) while SIP is using the UDP transport protocol.
Cisco PIX:
The vulnerability is caused to improper handling of fragmented SIP INVITE messages, which can be exploited to force the firewall to reset.
Solution:
Cisco has released fixed versions of the software in vulnerable products. Customers are advised to obtain the fixed software through their usual channels.
Cisco IP Phone models 7940 and 7960:
The vulnerabilities have been fixed in Cisco IP Phone SIP Images P0S3-04-2-00 and later.
Cisco IOS 12.2T:
The vulnerabilities have been fixed in Ciso IOS versions 12.2(11)T3 and 12.2(13)T1.
Cisco Secure PIX Firewall
This vulnerability has been fixed in Cisco Secure PIX Software versions 5.2(9), 6.0(4), 6.1(4), 6.2(2) and later.
As a temporary workaround the SIP service can be disabled. If this is not a viable solution, outbound traffic as well as inbound traffic to broadcast addresses and the following ports should be filtered on the devices, firewalls and border routers:
5060/udp # Session Initiation Protocol (SIP)
5060/tcp # Session Initiation Protocol (SIP)
5061/tcp # Session Initiation Protocol (SIP) over TLS
Provided and/or discovered by:
Oulu University Secure Programming Group
Changelog:
2005-09-27: Added link to US-CERT vulnerability note.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml
Other References:
http://www.cert.org/advisories/CA-2003-06.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
US-CERT VU#528719
http://www.kb.cert.org/vuls/id/528719
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
