[VulnWatch] Cisco Security Advisory: SIP Packet Reloads IOS Devices Not Configured for SIP

From: Cisco Systems Product Security Incident Response Team (psirt@private)
Date: Wed Jan 31 2007 - 01:25:00 PST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: SIP Packet Reloads IOS Devices Not
Configured for SIP

Advisory ID: cisco-sa-20070131-sip

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

Revision 1.0

For Public Release 2007 Jan 31 0900 UTC (GMT)

- ---------------------------------------------------------------------

Summary
=======

Cisco devices running IOS which support voice and are not configured
for Session Initiated Protocol (SIP) are vulnerable to a crash under
yet to be determined conditions, but isolated to traffic destined to
Port 5060. SIP is enabled by default on all Advanced images which
support voice and do not contain the fix for CSCsb25337. There are no
reports of this vulnerability on the devices which are properly
configured for SIP processing. Workarounds exist to mitigate the
effects of this problem.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

Affected Products
=================

IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1,
12.3(8)YG and all of 12.4 are affected. Please see the fixed software
table for a complete list of fixed and vulnerable trains.

To determine if your device has SIP enabled, enter the commands 'show
ip sockets' and 'show tcp brief all'. Below is an example of a router
running code without the fix, and without the workaround enabled. The
router in this example is vulnerable to this issue. IOS image in
example: 7200-p-mz.124-3.bin

    Router#show ip sockets
    Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
    17 0.0.0.0             0  --any--          5060   0   0  211   0
    17 0.0.0.0             0 192.168.100.2       67   0   0 2211   0
    17 0.0.0.0             0 192.168.100.2     2517   0   0   11   0               
    

The first line with UDP Port 5060 shows that UDP SIP is enabled.

    Router#show tcp brief all
    TCB       Local Address           Foreign Address        (state)
    2051E680  *.5060                  *.*                    LISTEN
    2051E680  *.5060                  *.*                    LISTEN
    

The above lines with *.5060 show that TCP SIP is enabled.

Vulnerable Products
+------------------

The following is a list of products that support voice and could be
affected by this vulnerability.

  * 815
  * 871
  * 876
  * 877
  * 878
  * 1701
  * 1711
  * 1712
  * 1721
  * 1751
  * 1751-V
  * 1760
  * 1801
  * 1802
  * 1803
  * 1811
  * 1812
  * 1841
  * 2610XM-2611XM
  * 2620XM-2621XM
  * 2650XM-2651XM
  * 2691
  * 2801
  * 2811
  * 2821
  * 2851
  * 3220
  * 3250
  * 3270
  * 3725
  * 3745
  * 3825
  * 3845
  * 7200
  * 7200-NPE-G2
  * 7301

Products Confirmed Not Vulnerable
+--------------------------------

Devices which do not support voice are not affected by this issue.
Devices which are properly configured for SIP processing are not
affected by this issue. We have no reports of this vunerability on
devices that are configured for SIP processing. We also have no
reports of affected IOS-XR devices, CatOS devices, or any device
which does not run IOS, but can not conclusively rule them out
without further testing. This advisory will be updated with more
information as it becomes available. Below is an example of a router 
not vulnerable to this issue. The router in this example is running
the fixed release c7200-js-mz.124-5b.bin.

    Router#show tcp brief all
    
    Router#show ip sockets
    Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
    17 0.0.0.0             0 192.168.100.2      67   0   0 2211   0
    

No lines with UDP Port 5060 are shown and UDP SIP is not enabled. In
this example UDP port 67 is used by DHCP is not related to this
vulnerability.

Details
=======

SIP is a protocol designed for use in IP phone networks, and is
widely used for Voice over Internet Protocol (VOIP) communications
worldwide. Cisco devices running an affected image which supports
voice services automatically enable SIP, which opens a listening port
on UDP port 5060. TCP port 5060 is also opened, but does not appear
to be related to the IOS crash detailed in this advisory.

CSCsb25337 turns off the listening ports TCP and UDP 5060, and there
have been no reports of this vulnerability in any images with this
fix integrated.

Impact
======

Successful exploitation of the vulnerability may result in a reload
of the device. The issue may be repeatedly exploited, leading to an
extended Denial Of Service (DOS) condition.

Software Version and Fixes
==========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
anticipated date of availability for each are listed in the "Rebuild"
and "Maintenance" columns. A device running a release in the given
train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release
should be upgraded at least to the indicated release or a later
version (greater than or equal to the First Fixed Release label.

For more information on the terms "Rebuild" and "Maintenance," consult
the following URL: http://www.cisco.com/warp/public/620/1.html

+---------------------------------------+
|   Major    | Availability of Repaired |
|  Release   |         Releases         |
|------------+--------------------------|
| Affected   |            |             |
| 12.0-Based | Rebuild    | Maintenance |
| Release    |            |             |
|------------+--------------------------|
| 12.0       | All 12.0 releases are    |
|            | not vulnerable           |
|------------+--------------------------|
| Affected   |            |             |
| 12.1-Based | Rebuild    | Maintenance |
| Release    |            |             |
|------------+--------------------------|
| 12.1       | All 12.1 releases are    |
|            | not vulnerable           |
|------------+--------------------------|
| Affected   |            |             |
| 12.2-Based | Rebuild    | Maintenance |
| Release    |            |             |
|------------+--------------------------|
| 12.2       | All 12.2 releases are    |
|            | not vulnerable           |
|------------+--------------------------|
| Affected   |            |             |
| 12.3-Based | Rebuild    | Maintenance |
| Release    |            |             |
|------------+--------------------------|
| 12.3       | Not vulnerable           |
|------------+--------------------------|
| 12.3B      | Not vulnerable           |
|------------+--------------------------|
| 12.3BC     | Not vulnerable           |
|------------+--------------------------|
| 12.3BW     | Not vulnerable           |
|------------+--------------------------|
| 12.3JA     | Not vulnerable           |
|------------+--------------------------|
| 12.3JEA    | Not vulnerable           |
|------------+--------------------------|
| 12.3JEB    | Not vulnerable           |
|------------+--------------------------|
| 12.3JK     | Not vulnerable           |
|------------+--------------------------|
| 12.3JX     | Not vulnerable           |
|------------+--------------------------|
|            | Only 12.3(14)T releases  |
|            | are vulnerable; migrate  |
| 12.3T      | to 12.4(8) or later. All |
|            | other 12.3T releases are |
|            | not vulnerable.          |
|------------+--------------------------|
| 12.3TPC    | Not vulnerable           |
|------------+--------------------------|
| 12.3XA     | Not vulnerable           |
|------------+--------------------------|
| 12.3XB     | Not vulnerable           |
|------------+--------------------------|
| 12.3XC     | Not vulnerable           |
|------------+--------------------------|
| 12.3XD     | Not vulnerable           |
|------------+--------------------------|
| 12.3XE     | Not vulnerable           |
|------------+--------------------------|
| 12.3XF     | Not vulnerable           |
|------------+--------------------------|
| 12.3XG     | Not vulnerable           |
|------------+--------------------------|
| 12.3XH     | Not vulnerable           |
|------------+--------------------------|
| 12.3XI     | Not vulnerable           |
|------------+--------------------------|
| 12.3XJ     | Not vulnerable           |
|------------+--------------------------|
| 12.3XK     | Not vulnerable           |
|------------+--------------------------|
| 12.3XQ     | Not vulnerable           |
|------------+--------------------------|
| 12.3XR     | Not vulnerable           |
|------------+--------------------------|
| 12.3XS     | Not vulnerable           |
|------------+--------------------------|
| 12.3XU     | Not vulnerable           |
|------------+--------------------------|
| 12.3XW     | Not vulnerable           |
|------------+--------------------------|
| 12.3XX     | Not vulnerable           |
|------------+--------------------------|
| 12.3XY     | Not vulnerable           |
|------------+--------------------------|
| 12.3YA     | Not vulnerable           |
|------------+--------------------------|
| 12.3YD     | Not vulnerable           |
|------------+--------------------------|
| 12.3YF     | Not vulnerable           |
|------------+--------------------------|
| 12.3YG     | 12.3(8)YG5 |             |
|------------+--------------------------|
| 12.3YH     | Not vulnerable           |
|------------+--------------------------|
| 12.3YI     | Not vulnerable           |
|------------+--------------------------|
| 12.3YJ     | Not vulnerable           |
|------------+--------------------------|
| 12.3YK     | Vulnerable; migrate to   |
|            | 12.4(4)T3 or later       |
|------------+--------------------------|
| 12.3YM     | 12.3(14)   |             |
|            | YM8        |             |
|------------+--------------------------|
| 12.3YQ     | Vulnerable; migrate to   |
|            | 12.4(6)T1 or later       |
|------------+--------------------------|
| 12.3YS     | Not vulnerable           |
|------------+--------------------------|
| 12.3YT     | Vulnerable; migrate to   |
|            | 12.4(4)T3 or later       |
|------------+--------------------------|
| 12.3YU     | Vulnerable; migrate to   |
|            | 12.4(2)XB2 or later      |
|------------+--------------------------|
| 12.3YX     | 12.3(14)   |             |
|            | YX2        |             |
|------------+--------------------------|
| 12.3YZ     | Not vulnerable           |
|------------+--------------------------|
| Affected   |            |             |
| 12.4-Based | Rebuild    | Maintenance |
| Release    |            |             |
|------------+------------+-------------|
|            | 12.4(3d)   |             |
|            |------------+-------------|
| 12.4       | 12.4(5b)   |             |
|            |------------+-------------|
|            | 12.4(7a)   | 12.4(8)     |
|------------+------------+-------------|
| 12.4MR     |            | 12.4(6)MR   |
|------------+--------------------------|
| 12.4SW     | All 12.4SW releases are  |
|            | fixed                    |
|------------+--------------------------|
|            | 12.4(2)T5  |             |
|            |------------+-------------|
| 12.4T      | 12.4(4)T3  |             |
|            |------------+-------------|
|            | 12.4(6)T1  | 12.4(9)T    |
|------------+--------------------------|
| 12.4XA     | Vulnerable; migrate to   |
|            | 12.4(6)T1 or later       |
|------------+--------------------------|
| 12.4XB     | 12.4(4)XB2 |             |
|------------+--------------------------|
| 12.4XC     | Vulnerable; contact TAC  |
|------------+--------------------------|
| 12.4XD     | 12.4(4)XD2 |             |
|------------+--------------------------|
| 12.4XE     | All 12.4XE releases are  |
|            | fixed                    |
|------------+--------------------------|
| 12.4XG     | All 12.4XG releases are  |
|            | fixed                    |
|------------+--------------------------|
| 12.4XJ     | All 12.4XJ releases are  |
|            | fixed                    |
|------------+--------------------------|
| 12.4XP     | All 12.4XP releases are  |
|            | fixed                    |
|------------+--------------------------|
| 12.4XT     | All 12.4XT releases are  |
|            | fixed                    |
+---------------------------------------+

Workarounds
===========

Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml

Turn off SIP processing
+-----------------------

Since this vulnerability is reported only in routers not configured
for SIP, the simplest and most effective workaround is to turn SIP
processing off.

    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#sip-ua
    Router(config-sip-ua)#no transport udp
    Router(config-sip-ua)#no transport tcp
    Router(config-sip-ua)#end
    

Control Plane Policing
+---------------------

Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and
12.4T support the Control Plane Policing (CoPP) feature. CoPP may be
configured on a device to protect the management and control planes
to minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure device in accordance with existing security policies
and configurations. The following example can be adapted to your
network.

        !-- Permit all TCP and UDP SIP traffic sent to all IP addresses
        !-- configured on all interfaces of the affected device so that it
        !-- will be policed and dropped by the CoPP feature
    
        access-list 100 permit tcp any any eq 5060
        access-list 100 permit udp any any eq 5060
    
        !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
        !-- traffic in accordance with existing security policies and
        !-- configurations for traffic that is authorized to be sent
        !-- to infrastructure devices
        !
        !-- Create a Class-Map for traffic to be policed by
        !-- the CoPP feature
    
        class-map match-all drop-sip-class
          match access-group 100
    
        !-- Create a Policy-Map that will be applied to the
        !-- Control-Plane of the device
    
        policy-map drop-sip-traffic
          class drop-sip-class
            drop
    
        !-- Apply the Policy-Map to the Control-Plane of the
        !-- device
    
        control-plane
          service-policy input drop-sip-traffic
    

Note: In the above CoPP example, the access control list entries
(ACEs) which match the potential exploit packets with the "permit"
action result in these packets being discarded by the policy-map
"drop" function, while packets that match the "deny" action (not
shown) are not affected by the policy-map drop function. Additional
information on the configuration and use of the CoPP feature can be
found at

http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml

and

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html.

Obtaining Fixed Software
========================

Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed
software becomes available. Prior to deploying software, customers
should consult their maintenance provider or check the software for
feature set compatibility and known issues specific to their
environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html or as
otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact either "psirt@private" or "security-alert@private"
for software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreement with third-party support organizations
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party
vendors but are unsuccessful at obtaining fixed software through
their point of sale should get their upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@private

Have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the
TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Exploitation and Public Announcements
=====================================

This issue was first reported to Cisco by a customer. Cisco PSIRT is
seeing randomly generated traffic which may be unintentionally
causing this issue to manifest.

Status of this Notice: INTERIM
==============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@private
  * first-teams@private
  * bugtraq@private
  * vulnwatch@private
  * cisco@private
  * cisco-nsp@private
  * full-disclosure@private
  * comp.dcom.sys.cisco@private

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
=================

+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2007-January-31 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices.  All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFwGMG8NUAbBmDaxQRAlTmAKCRiz8v9q0ooRzpmx89W6HhITrUVwCZARsf
mIdw8K1qQSI6UXkaxlUsXS8=
=pSPg
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Fri Feb 02 2007 - 12:02:09 PST