Advisory ID: cisco-sa-20030221-protos
For Public Release 2003 Februrary 21 17:00 UTC (GMT)
Multiple Cisco products contain vulnerabilities in the processing of
Session Initiation Protocol (SIP) INVITE messages. These vulnerabilities were
identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS"
Test Suite for SIP and can be repeatedly exploited to produce a denial of
This advisory is available at
This section provides details on affected products.
These products are vulnerable:
Cisco IP Phone Model 7940/7960 running SIP images prior to
Cisco Routers running Cisco IOS 12.2T and 12.2 'X'
Cisco PIX Firewall running software versions with SIP support,
beginning with version 5.2(1) and up to, but not including versions 6.2(2),
6.1(4), 6.0(4) and 5.2(9)
Cisco products that are not running the SIP protocol or that do not
provide Network Address Translation (NAT) fixup services for the SIP protocol
are not affected.
SIP is the Internet Engineering Task Force (IETF) standard for
multimedia conferencing over IP. SIP is an ASCII-based, application-layer
control protocol (defined in RFCs 2543 and 3261) that can be used to establish,
maintain, and terminate calls between two or more endpoints.
The vulnerabilities identified can be easily and repeatedly
demonstrated with the use of the OUSPG "PROTOS" Test Suite for SIP. This suite
is designed to test the design limits of the implementation of the SIP
protocol, specifically the SIP INVITE messages that are used in the initial
call setup between two SIP endpoints.
The Cisco IP Phone models 7940 and 7960 are vulnerable to
network-based Denial of Service (DoS) attacks via this test suite due to buffer
overflows and improper handling of invalid headers. These vulnerabilities are
documented as Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041.
Devices running Cisco IOS versions in the 12.2T train or any 12.2 'X'
train may reset due to improper handling of SIP fields. These vulnerabilities
are documented as Cisco Bug IDs CSCdz39284 and CSCdz41124. In order to be
vulnerable to CSCdz39284, the device must be running a vulnerable version of
IOS and be configured as a SIP gateway. However, any device running a
vulnerable version of Cisco IOS that is configured to perform NAT is vulnerable
to CSCdz41124 when SIP is using UDP as its transport.
The Cisco PIX Firewall may reset when receiving fragmented SIP INVITE
messages. As the SIP fixup does not support fragmented SIP messages, this has
been resolved to now drop SIP fragments. This vulnerability is documented as
Cisco Bug ID CSCdx47789.
Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
Depending on the test case, the Cisco IP Phone models 7940 and 7960
would reset or hang, requiring the manual power cycling of the device.
Vulnerable versions of both Cisco IOS and Cisco PIX Software would
experience a device reset.
Cisco IP SIP Phones
This vulnerability is repaired in Cisco IP Phone SIP Images
P0S3-04-2-00 and later.
Cisco Secure PIX Firewall
This vulnerability is repaired in Cisco Secure PIX Software versions
5.2.9, 6.0.4, 6.1.4, and 6.2.2 and later.
Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a given
release train is vulnerable, then the earliest possible releases that contain
the fix (the "First Fixed Release") and the anticipated date of availability
for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A
device running a release in the given train that is earlier than the release in
a specific column (less than the First Fixed Release) is known to be
vulnerable. The release should be upgraded at least to the indicated release or
a later version (greater than or equal to the First Fixed Release label).
When selecting a release, keep in mind the following definitions:
Maintenance - Most heavily tested, stable, and
highly recommended release of a release train in any given row of the
Rebuild - Constructed from the previous maintenance
or major release in the same train, it contains the fix for a specific defect.
Although it receives less testing, it contains only the minimal changes
necessary to repair the vulnerability.
Interim - Built at regular intervals between
maintenance releases and receives less testing. Interims should be selected
only if there is no other suitable release that addresses the vulnerability.
Interim images should be upgraded to the next available maintenance release as
soon as possible. Interim releases are not available through manufacturing, and
usually they are not available for customer download from CCO without prior
arrangement with the Cisco TAC.
In all cases, customers should exercise caution to confirm that the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
software release. If the information is not clear, contact the Cisco TAC for
assistance as shown in the Obtaining Fixed
Software section below.
More information on Cisco IOS software release names and abbreviations
is available at http://www.cisco.com/warp/public/620/1.html.
The fixes will be available at the Software Center located at
Train or Release
Description of Image or Platform
Availability of Fixed Releases
For customers implementing IP Telephony via SIP, there are no known
workarounds for most of these defects directly on the devices. The Cisco PSIRT
recommends that customers upgrade to a version of software that contains
However, it may be possible to limit the exposure of SIP-enabled
devices by compartmentalizing the traffic to only those segments which require
SIP traffic to transit them. This may be done via any traffic-blocking
mechanism such as firewalls or router access lists that can block both UDP
traffic with source or destination ports of 5060 and TCP traffic with source or
destination ports of 5060 and 5061. As always, it is important to investigate
whether other local legitimate non-SIP traffic is attempting to use the default
ports that SIP may also use before those ports are blocked completely.
Similarly, unless NAT for the SIP protocol is required, devices running
vulnerable versions of Cisco IOS which are configured to perform general NAT
services may simply implement ingress access lists to prevent the possible
translation of the SIP traffic by blocking UDP traffic with source or
destination ports of 5060.
Customers running version 6.2 of the Cisco Secure PIX Software may be
able to disable the SIP fixup feature depending on the configuration. See the
Usage Guidelines section at
for more details.
Cisco has made free software available to address this vulnerability
for affected customers. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set compatibility
and known issues specific to their environment.
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using such
software upgrades, customers agree to be bound by the terms of Cisco's software
license terms found at
or as otherwise set forth at Cisco.com Downloads at
Do not contact either "firstname.lastname@example.org" or "email@example.com"
for software upgrades.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course of
action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations such as product mix, network topology, traffic behavior,
and organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or support
organization to ensure any applied workaround or fix is the most appropriate
for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain software patches and bug fixes by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
Have your product serial number available and provide the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.
for additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
The Cisco PSIRT is not aware of any malicious exploitation of these
vulnerabilities. This advisory is being published simultaneously with
announcements from other organizations such as the CERT Coordination Center.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory will be posted on Cisco's worldwide website at
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
and Usenet news recipients.
firstname.lastname@example.org (includes CERT/CC)
Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
Initial public release