-
Multiple Cisco products contain vulnerabilities in the processing of Session Initiation Protocol (SIP) INVITE messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for SIP and can be repeatedly exploited to produce a denial of service.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030221-protos.
-
This section provides details on affected products.
Vulnerable Products
These products are vulnerable:
-
Cisco IP Phone Model 7940/7960 running SIP images prior to
4.2
-
Cisco Routers running Cisco IOS 12.2T and 12.2 'X'
trains
-
Cisco PIX Firewall running software versions with SIP support,
beginning with version 5.2(1) and up to, but not including versions 6.2(2),
6.1(4), 6.0(4) and 5.2(9)
Products Confirmed Not Vulnerable
Cisco products that are not running the SIP protocol or that do not provide Network Address Translation (NAT) fixup services for the SIP protocol are not affected.
-
Cisco IP Phone Model 7940/7960 running SIP images prior to
4.2
-
SIP is the Internet Engineering Task Force (IETF) standard for multimedia conferencing over IP. SIP is an ASCII-based, application-layer control protocol (defined in RFCs 2543 and 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.
The vulnerabilities identified can be easily and repeatedly demonstrated with the use of the OUSPG "PROTOS" Test Suite for SIP. This suite is designed to test the design limits of the implementation of the SIP protocol, specifically the SIP INVITE messages that are used in the initial call setup between two SIP endpoints.
The Cisco IP Phone models 7940 and 7960 are vulnerable to network-based Denial of Service (DoS) attacks via this test suite due to buffer overflows and improper handling of invalid headers. These vulnerabilities are documented as Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041.
Devices running Cisco IOS versions in the 12.2T train or any 12.2 'X' train may reset due to improper handling of SIP fields. These vulnerabilities are documented as Cisco Bug IDs CSCdz39284 and CSCdz41124. In order to be vulnerable to CSCdz39284, the device must be running a vulnerable version of IOS and be configured as a SIP gateway. However, any device running a vulnerable version of Cisco IOS that is configured to perform NAT is vulnerable to CSCdz41124 when SIP is using UDP as its transport.
The Cisco PIX Firewall may reset when receiving fragmented SIP INVITE messages. As the SIP fixup does not support fragmented SIP messages, this has been resolved to now drop SIP fragments. This vulnerability is documented as Cisco Bug ID CSCdx47789.
-
For customers implementing IP Telephony via SIP, there are no known workarounds for most of these defects directly on the devices. The Cisco PSIRT recommends that customers upgrade to a version of software that contains fixes.
However, it may be possible to limit the exposure of SIP-enabled devices by compartmentalizing the traffic to only those segments which require SIP traffic to transit them. This may be done via any traffic-blocking mechanism such as firewalls or router access lists that can block both UDP traffic with source or destination ports of 5060 and TCP traffic with source or destination ports of 5060 and 5061. As always, it is important to investigate whether other local legitimate non-SIP traffic is attempting to use the default ports that SIP may also use before those ports are blocked completely.
Similarly, unless NAT for the SIP protocol is required, devices running vulnerable versions of Cisco IOS which are configured to perform general NAT services may simply implement ingress access lists to prevent the possible translation of the SIP traffic by blocking UDP traffic with source or destination ports of 5060.
Customers running version 6.2 of the Cisco Secure PIX Software may be able to disable the SIP fixup feature depending on the configuration. See the Usage Guidelines section at http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1067379 for more details.
-
Cisco IP SIP Phones
This vulnerability is repaired in Cisco IP Phone SIP Images P0S3-04-2-00 and later.
Cisco Secure PIX Firewall
This vulnerability is repaired in Cisco Secure PIX Software versions 5.2.9, 6.0.4, 6.1.4, and 6.2.2 and later.
Cisco IOS
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
When selecting a release, keep in mind the following definitions:
-
Maintenance - Most heavily tested, stable, and
highly recommended release of a release train in any given row of the
table.
-
Rebuild - Constructed from the previous maintenance
or major release in the same train, it contains the fix for a specific defect.
Although it receives less testing, it contains only the minimal changes
necessary to repair the vulnerability.
-
Interim - Built at regular intervals between
maintenance releases and receives less testing. Interims should be selected
only if there is no other suitable release that addresses the vulnerability.
Interim images should be upgraded to the next available maintenance release as
soon as possible. Interim releases are not available through manufacturing, and
usually they are not available for customer download from CCO without prior
arrangement with the Cisco TAC.
In all cases, customers should exercise caution to confirm that the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new software release. If the information is not clear, contact the Cisco TAC for assistance as shown in the Obtaining Fixed Software section below.
More information on Cisco IOS software release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html.
The fixes will be available at the Software Center located at http://www.cisco.com/tacpage/sw-center/.
Train or Release
Description of Image or Platform
Availability of Fixed Releases
12.2 Releases
Rebuild
Interim
Maintenance
12.2 T
12.2(11)T3
12.2(13)T1
-
Maintenance - Most heavily tested, stable, and
highly recommended release of a release train in any given row of the
table.
-
The Cisco PSIRT is not aware of any malicious exploitation of these vulnerabilities. This advisory is being published simultaneously with announcements from other organizations such as the CERT Coordination Center.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2003-February-21
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.