Summary

• Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch series of products. Each vulnerability described in this advisory is independent from other. The vulnerabilities are related to processing Session Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP) messages.

  Successful exploitation of all but one of these vulnerabilities can crash the affected device. Exploitation of the remaining vulnerability will not crash the affected device, but it can lead to a denial-of-service (DoS) condition in which no new TCP-based connections will be accepted or created.

  Cisco has released software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100512-pgw.

Affected Products

• Vulnerable Products

  The Cisco PGW 2200 Softswitch is affected by these vulnerabilities. The following table displays information about software releases that are affected by individual vulnerabilities. Each vulnerability in the table affects all software releases prior to the release that is listed in the table.

  Cisco Bug ID	Affects All Software Releases Prior This Version(s)
  CSCsz13590	9.8(1)S5
  CSCsl39126	9.7(3)S11
  CSCsk32606	9.7(3)S11
  CSCsk44115	9.7(3)S11, 9.7(3)P11
  CSCsk40030	9.7(3)S10
  CSCsk38165	9.7(3)S10
  CSCsj98521	9.7(3)S9, 9.7(3)P9
  CSCsk04588	9.7(3)S9, 9.7(3)P9
  CSCsk13561	9.7(3)S9, 9.7(3)P9

  To determine the software version running on a Cisco product, log in to the device and issue the RTRV-NE command. This command displays information about the Cisco PGW 2200 Softswitch hardware, software, and current state.

  The following example identifies a Cisco PGW 2200 Softswitch running software release 9.7(3):

  mml> RTRV-NE
  Media Gateway Controller  - MGC-01 2010-04-23 11:55:00.000
  M  RTRV
     "Type:MGC (Switch Mode)"
     "Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
     "Vendor:"Cisco Systems, Inc.""
     "Location:MGC-01 - Media Gateway Controller"
     "Version:"9.7(3)""
     "Patch:"CSCOgs028/CSCOnn028""
     "Platform State:ACTIVE"
     ;

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities. In particular, Cisco IOS Software is not affected by these vulnerabilities.

Details

• SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol.

  MGCP is the protocol for controlling telephony gateways from external call control elements known as media gateway controllers or call agents. A telephony gateway is a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or other packet networks.

  Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch SIP implementation, and one vulnerability is in the MGCP implementation.

  The following vulnerabilities can cause affected devices to crash:

  • CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
    
  • CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
    
  • CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
    
  • CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
    
  • CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
    
  • CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
    
  • CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
    
  • CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
    

  The following vulnerability may cause an affected device to be unable to accept or create a new TCP connection. Existing calls will not be terminated, but no new SIP connections will be established. If exploited, this vulnerability will also prevent the device from establishing any new HTTP, SSH or Telnet sessions.

  • CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
    

Workarounds

• There are no workarounds for the vulnerabilities in this advisory.

  In the case of the vulnerability that corresponds to Cisco Bug ID CSCsk13561, administrator must manually reboot the affected device to restore the device's ability to accept new connections. Because vulnerability prevents new TCP-based session to be created, this reboot can be initiated only from the console. If a failover device is configured, existing sessions will continue while the affected device is reloading. Without a failover device, all active sessions will be terminated while the affected device is reloading.

  Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100512-pgw

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  All vulnerabilities listed in this Security Advisory are addressed in Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and subsequent, software releases.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

  These vulnerabilities were discovered during internal testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100512-pgw

Revision History

• Revision 1.0

  2010-May-12

  Initial public release.

  Show Less