It is possible to workaround the CTL Provider Service Overflow vulnerability by disabling the CTL Provider Service if it is not needed. Access to the CTL Provider Service is usually only required during the initial configuration of CUCM authentication and encryption features. For CUCM 4.x systems, please consult the following documentation for details on how to disable CUCM services:
For CUCM 5.x systems, please consult the following documentation for details on how to disable CUCM services:
Filtering traffic to affected CUCM systems on screening devices can be used as a mitigation technique for both vulnerabilities:
- Permit access to TCP port 2444 only between the CUCM systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow.
- Permit access to TCP port 2556 only from other CUCM cluster systems to mitigate the RIS Data Collector overflow.
It is possible to change the default ports of the CTL Provider (2444/TCP) and RIS Data Collector (2556/TCP) services. If changed, filtering should be based on the values used. The values of the ports can be viewed in CUCM Administration interface by following the System > Service Parameters menu and selecting the appropriate service.
There is currently no method to configure filtering directly on a CUCM system.
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The filters shown above should be included as part of an infrastructure access list which will protect all devices with IP addresses in the infrastructure IP address range.
The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This document is available at the following link:
Filters blocking access to TCP/2444 and TCP/2556 should be deployed at the network edge as part of a transit access list which will protect the router where the ACL is configured, as well as other devices behind it. Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge," which is available at the following link:
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: