[NEWS] SIP Packet Reloads IOS Devices Not Configured for SIP

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SIP Packet Reloads IOS Devices Not Configured for SIP
------------------------------------------------------------------------


SUMMARY

Cisco devices running IOS which support voice and are not configured for 
Session Initiation Protocol (SIP) are affected by a vulnerability that may 
lead to a reload of the device under yet to be determined conditions, but 
isolated to traffic destined to Port 5060. At the present time, Cisco is 
investigating the exact nature of the issue; further details will be 
provided in an update to this Advisory at such time as we are able to 
confirm the technical characteristics.

There are no known exploits for this issue although the Cisco PSIRT is 
seeing randomly generated traffic which may be unintentionally causing 
this issue to manifest.

Workarounds exist to mitigate the effects of this problem.

DETAILS

Affected Products:
IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1, 
12.3(8)YG and all of 12.4 are affected. Please see the fixed software 
table for a complete list of fixed and vulnerable trains.

To determine if your device has SIP enabled, enter the commands show ip 
sockets and show tcp brief all. Below is an example of a router running 
code without the fix, and without the workaround enabled. The router in 
this example is vulnerable to this issue. The router in this example is 
running the vulnerable release 7200-p-mz.124-3.bin:

    Router#show ip sockets
    Proto Remote Port Local Port In Out Stat TTY OutputIF
    17 0.0.0.0 0 --any-- 5060 0 0 211 0
    17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0
    17 0.0.0.0 0 192.168.100.2 2517 0 0 11 0

The first line with UDP Port 5060 shows that UDP SIP is enabled.

    Router#show tcp brief all
    TCB Local Address Foreign Address (state)
    2051E680 *.5060 *.* LISTEN
    2051E680 *.5060 *.* LISTEN

The above lines with *.5060 show that TCP SIP is enabled.

Vulnerable Products:
The following is a list of products that support voice and could be 
affected by this vulnerability.
 * 815
 * 871
 * 876
 * 877
 * 878
 * 1701
 * 1711
 * 1712
 * 1721
 * 1751
 * 1751-V
 * 1760
 * 1801
 * 1802
 * 1803
 * 1811
 * 1812
 * 1841
 * 2610XM-2611XM
 * 2620XM-2621XM
 * 2650XM-2651XM
 * 2691
 * 2801
 * 2811
 * 2821
 * 2851
 * 3220
 * 3250
 * 3270
 * 3725
 * 3745
 * 3825
 * 3845
 * 7200
 * 7200-NPE-G2
 * 7301

Products Confirmed Not Vulnerable:
Devices that do not support voice are not affected by this issue. Devices 
which are properly configured for SIP processing are not affected by this 
issue. We have no reports of this vunerability on devices that are 
configured for SIP processing. We also have no reports of affected IOS-XR 
devices, CatOS devices, or any device which does not run IOS, but can not 
conclusively rule them out without further testing. This advisory will be 
updated with more information as it becomes available. Below is an example 
of a router not vulnerable to this issue. The router in this example is 
running the fixed release c7200-js-mz.124-5b.bin.

    Router#show tcp brief all

    Router#show ip sockets
    Proto Remote Port Local Port In Out Stat TTY OutputIF
    17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0

No lines with UDP Port 5060 are shown and UDP SIP is not enabled. In this 
example, UDP port 67 is used by DHCP is not related to this vulnerability.

Details:
SIP is a protocol designed for use in IP voice networks and is widely used 
for Voice over Internet Protocol (VoIP) communications worldwide.

Cisco devices running certain versions of IOS with support for voice 
services may be affected by a vulnerability that may lead to a reload of 
the device under yet to be determined conditions, but isolated to traffic 
destined to port 5060. The root cause of this reload is currently under 
investigation. This issue is being tracked in Cisco Bug ID  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh58082> 
CSCsh58082.

In addition, certain versions of IOS with support for voice services may 
process SIP messages even if they are not fully configured for SIP 
operation. To process SIP messages IOS will open UDP port 5060 and TCP 
port 5060 for listening. The Cisco Bug ID that documents the issue of IOS 
processing SIP messages without being fully configured for SIP operation 
is  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb25337> 
CSCsb25337. The fix for this bug turns off the listening ports TCP and UDP 
5060.

There have been no reports of  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh58082> 
CSCsh58082 causing reloads in any images with  
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb25337> 
CSCsb25337 integrated.

Impact:
Successful exploitation of the vulnerability may result in a reload of the 
device. The issue may be repeatedly exploited, leading to an extended 
Denial Of Service (DoS) condition.

Workarounds:
Additional mitigations that can be deployed on Cisco devices within the 
network are available in the Cisco Applied Intelligence companion document 
for this advisory:  
<http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml> 
http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml.

Turn Off SIP Processing

Since this vulnerability is reported only in routers not configured for 
SIP, the simplest and most effective workaround is to turn SIP processing 
off.

    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#sip-ua
    Router(config-sip-ua)#no transport udp
    Router(config-sip-ua)#no transport tcp
    Router(config-sip-ua)#end

After applying this workaround the commands show ip sockets and show tcp 
brief all will not show the device listening on UDP and TCP port 5060:

    Router#show ip sockets
    Proto Remote Port Local Port In Out Stat TTY
     17 --listen-- 9.13.32.18 2887 0 0 11 0

    Router#show tcp brief all
    TCB Local Address Foreign Address (state)
    6649A5A4 *.1720 *.* LISTEN
    66CDC764 *.1723 *.* LISTEN

Control Plane Policing
Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T 
support the Control Plane Policing (CoPP) feature. CoPP may be configured 
on a device to protect the management and control planes to minimize the 
risk and effectiveness of direct infrastructure attacks by explicitly 
permitting only authorized traffic sent to infrastructure device in 
accordance with existing security policies and configurations. The 
following example can be adapted to your network.


    !-- Permit all TCP and UDP SIP traffic sent to all IP addresses
    !-- configured on all interfaces of the affected device so that it
    !-- will be policed and dropped by the CoPP feature


    access-list 100 permit tcp any any eq 5060
    access-list 100 permit udp any any eq 5060


    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
    !-- traffic in accordance with existing security policies and
    !-- configurations for traffic that is authorized to be sent
    !-- to infrastructure devices

    !-- Create a Class-Map for traffic to be policed by
    !-- the CoPP feature


    class-map match-all drop-sip-class
      match access-group 100


    !-- Create a Policy-Map that will be applied to the
    !-- Control-Plane of the device


    policy-map drop-sip-traffic
      class drop-sip-class
        drop


    !-- Apply the Policy-Map to the Control-Plane of the
    !-- device


    control-plane
      service-policy input drop-sip-traffic

Note: In the above CoPP example, the access control list entries (ACEs) 
which match the potential exploit packets with the "permit" action result 
in these packets being discarded by the policy-map "drop" function, while 
packets that match the "deny" action (not shown) are not affected by the 
policy-map drop function. Additional information on the configuration and 
use of the CoPP feature can be found at  
<http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml>
 
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
 and  
<http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html>
 
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Systems Product Security Incident Response Team.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.