Cisco Applied Mitigation Bulletin

Identifying and Mitigating Exploitation of Multiple Cisco Unified CallManager and Presence Server Vulnerabilities

Advisory ID: cisco-amb-20070328-voip

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070328-voip

Revision 1.2

For Public Release 2007 March 28 16:00  UTC (GMT)


Contents

Cisco Response
Device-Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) contain multiple vulnerabilities that may result in the failure of CUCM or CUPS functionality, resulting in a denial of service (DoS) condition:

SCCP Port Scan Denial of Service Vulnerability. This vulnerability affects only Cisco Unified CallManager. It can be exploited remotely with no authentication and no user interaction is necessary. Exploitation can allow the attacker to create a DoS condition. The attack vector is through TCP port 2000 (Skinny Call Control Protocol, SCCP) or TCP port 2443 (Secure SCCP, SCCPS). This vulnerability is not covered by a CVE ID.

ICMP Echo Request Flood Denial of Service Vulnerability. This vulnerability can be exploited remotely with no authentication and no user interaction is necessary. Exploitation can allow the attacker to create a DoS condition. The attack vector is through ICMP Type 8 (echo request) packets. This vulnerability is not covered by a CVE ID.

IPSec Manager Denial of Service Vulnerability. This vulnerability can be exploited remotely with no authentication and no user interaction is necessary. Exploitation can allow the attacker to create a DoS condition. The attack vector is through UDP port 8500. This vulnerability is not covered by a CVE ID.

This document contains information to assist Cisco customers in mitigating attempts to exploit the multiple Cisco Unified CallManager and Presence Server denial of service vulnerabilities.

Information about vulnerable, unaffected, and fixed software is available in the PSIRT Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070328-voip

Mitigation Technique Overview

Cisco devices provide several countermeasures for the multiple Cisco Unified CallManager and Presence Server vulnerabilities.

The most effective means of exploit prevention is provided by Cisco IOS Software, Cisco PIX Security Appliances, Cisco ASA Adaptive Security Appliances, and Firewall Service Modules (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers using transit access control lists (tACLs).

Cisco Intrusion Prevention System (IPS) provides detection and potential mitigation capabilities. Detective controls can also be performed using Cisco IOS NetFlow, Cisco ASA Adaptive Security Appliance, Cisco PIX Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers through syslog messages and the counter values displayed in the show command output.

Additional best practices can mitigate spoofed packets that could exploit the multiple Cisco Unified CallManager and Presence Server vulnerabilities:

  • Unicast Reverse Path Forwarding (Unicast RPF)
  • IP Source Guard

More information about securing Unified Communications is available in the "Voice Security" section of the Unified Communications Solution Reference Network Design (SRND) for CallManager 4.x or 5.x.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Cisco IOS Routers

Mitigation: Transit Access Control Lists

Transit access control lists (tACLs) can be used on Cisco IOS devices in front of vulnerable devices to mitigate the multiple Cisco Unified CallManager and Presence Server denial of service vulnerabilities.

Mitigation of the SCCP port scan denial of service vulnerability is possible by permitting TCP port 2000 (SCCP) and TCP port 2443 (SCCPS) traffic only from the IP addresses of Voice over IP (VoIP) end stations. Mitigation is facilitated when VoIP phones are deployed using a separate voice and data VLAN model. Note that there are other VoIP end stations besides the VoIP phones.

The ICMP echo request flood denial of service vulnerability can be mitigated by blocking ICMP echo messages sent to the CUCM/CUPS systems. Note that this might affect network management applications and troubleshooting procedures.

To mitigate the IPSec manager denial of service vulnerability, UDP port 8500 must be permitted only from systems that belong to the CallManager cluster. All other sources need to be blocked from accessing UDP port 8500 (with or without remote WAN clustering).

In the following sample transit ACL:

  • CUCM systems are at the 192.168.138.23 and 192.168.138.24 IP addresses. They are reachable via the GigabitEthernet0/1 interface.
  • The CUPS system is 192.168.138.25 and is reachable via the GigabitEthernet0/1 interface.
  • VoIP endpoints are in the 192.168.128.0/24 and 192.168.150.0/24 IP address space. They are reachable via the GigabitEthernet0/0 interface.
    ip access-list extended ACL-TRANSIT
    
    
    !-- Allow SCCP and SCCPS traffic only from IP addresses assigned to
    !-- Voice over IP endpoints
    
    
     permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.23 eq 2000  
     permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.24 eq 2000  
     permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.23 eq 2000  
     permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.24 eq 2000    
     
     permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.23 eq 2443  
     permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.24 eq 2443  
     permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.23 eq 2443  
     permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.24 eq 2443  
     
    
    !-- Deny SCCP/SCCPS traffic to CUCM systems from other IP addresses
    
    
     deny   tcp any host 192.168.138.23 eq 2000 
     deny   tcp any host 192.168.138.24 eq 2000 
     
     deny   tcp any host 192.168.138.23 eq 2443 
     deny   tcp any host 192.168.138.24 eq 2443
    
    
    !-- Deny ICMP echo to the local CUCM and CUPS systems
    !-- Note this might impact Network Management Stations 
    !-- and troubleshooting procedures
    
    
     deny   icmp any host 192.168.138.23 echo 
     deny   icmp any host 192.168.138.24 echo 
     deny   icmp any host 192.168.138.25 echo 
    
    
    !-- Block UDP port 8500 to the inside CUCM/CUPS systems from other hosts
    
    
     deny udp any host 192.168.138.23 eq 8500 
     deny udp any host 192.168.138.24 eq 8500 
     deny udp any host 192.168.138.25 eq 8500 
     
    
    !-- Permit/Deny all other Layer 3 and Layer 4 traffic in accordance
    !-- with existing security policies and configurations,
    !-- including other voice, transit and control protocols to CUCM/CUPS systems
    
    
    
    !-- ACL-TRANSIT access list should  be applied inbound to all 
    !-- non-loopback interfaces other than GigabitEthernet0/1
    
    
    interface GigabitEthernet0/0
     ip access-group ACL-TRANSIT in

Note that input access list might protect devices behind the router and the router itself. In addition, input access list filters packets before routing takes place. When possible, input access list should be used instead of output access list.

In the Cisco Unified CallManager call processing IP Clustering over WAN deployment model, CUCM systems are deployed in multiple locations and UDP port 8500 might need to be permitted between local and remote CUCM systems. Note that CUPS does not support the WAN cluster model.

For more information on transit ACLs, refer to Transit Access Control Lists: Filtering at Your Edge.

Mitigation: Anti-Spoof Protection Using Unicast Reverse Path Forwarding

The ICMP echo request flood denial of service vulnerability and IPSec Manager denial of service vulnerability may be exploited by spoofed attacks.

Protection mechanisms for anti-spoofing exist through the proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF). Unicast RPF is configured at the interface level and can detect and drop (discard) incoming packets with source addresses that fail the configured verification. Administrators should not rely on Unicast RPF alone to provide 100 percent spoofing protection because it will not detect subnet spoofing.

Strict mode Unicast RPF is most effective against spoofing attacks when properly deployed in close proximity to sources of spoofed packets. Strict mode Unicast RPF in Layer 3 devices coupled with IP source guard in Layer 2 devices provides the most effective means of anti-spoofing protection for the vulnerabilities described in this document.

Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic transiting through the network. In an enterprise environment, Unicast RPF might be enabled at the access layer on the user-supporting Layer 3 interfaces.

Identification: Transit Access Control Lists

After the transit access control list (tACL) is applied, the show access-lists command can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are potential attempts to exploit one of the vulnerabilities described within this document. The following is an example of output for the show access-lists ACL-TRANSIT command:

Router# show access-lists ACL-TRANSIT
Extended IP access list ACL-TRANSIT
    10 permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.23 eq 2000 (5 matches)
    20 permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.24 eq 2000 (14 matches)
    30 permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.23 eq 2000
    40 permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.24 eq 2000
    50 permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.23 eq 2443
    60 permit tcp 192.168.128.0 0.0.0.255 host 192.168.138.24 eq 2443
    70 permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.23 eq 2443
    80 permit tcp 192.168.150.0 0.0.0.255 host 192.168.138.24 eq 2443
    90 deny tcp any host 192.168.138.23 eq 2000
    100 deny tcp any host 192.168.138.24 eq 2000
    110 deny tcp any host 192.168.138.23 eq 2443
    120 deny tcp any host 192.168.138.24 eq 2443 (88 matches)
    130 deny icmp any host 192.168.138.23 echo (100 matches)
    140 deny icmp any host 192.168.138.24 echo (172 matches)
    150 deny icmp any host 192.168.138.25 echo
    160 deny udp any host 192.168.138.23 eq 8500 (26 matches)
    170 deny udp any host 192.168.138.24 eq 8500 (35 matches)
    180 deny udp any host 192.168.138.25 eq 8500

In the preceding example, there were 5 and 14 TCP port 2000 packets, 100 and 172 ICMP echo messages, and 26 and 35 UDP port 8500 packets dropped by access list ACL-TRANSIT to CUCM servers 192.168.138.23 and 192.168.138.24 respectively.

Identification: Anti-Spoof Protection Using Unicast Reverse Path Forwarding

With Unicast RPF properly deployed and configured throughout the network infrastructure, the show ip interface interfacetype slot/port, show cef interfacetype slot/port internal, and show ip traffic commands can be used to identify the number of packets that Unicast RPF has discarded.

Router# show ip interface GigabitEthernet0/0 
GigabitEthernet0/0 is up, line protocol is up
  
    <Output suppressed>
  
  IP verify source reachable-via RX, allow default
   2023 verification drops
   0 suppressed verification drops
  IP multicast multilayer switching is disabled

Router# show cef interface GigabitEthernet0/0 internal
GigabitEthernet0/0 is up (if_number 95)

   <Output suppressed>

 Subblocks:
  ip verify: via=rx (allow default), acl=0, drop=2023, sdrop=0

Router# show ip traffic | include RPF
         25 no route, 7236 unicast RPF, 0 forced drop

In the preceding examples, Unicast RPF has dropped 2023 IP packets received on interface GigabitEthernet0/0 due to the inability to verify the source address of the IP packets within the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB). The total number of packets discarded in all interfaces because they failed Unicast RPF verification is 7236.

Cisco IOS Switches

Mitigation: Anti-Spoof Protection Using IP Source Guard

The ICMP echo request flood denial of service vulnerability and IPSec Manager denial of service vulnerability may be exploited by spoofed attacks.

Protection mechanisms for anti-spoofing exist through the proper deployment and configuration of IP source guard. IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. IP source guard can be used to help prevent attacks from a malicious user who attempts to spoof packets by forging the source IP address and/or the MAC address. When properly deployed and configured, IP source guard coupled with strict mode Unicast RPF provides the most effective means of anti-spoofing protection for the ICMP echo request flood denial of service vulnerability and IPSec Manager denial of service vulnerability.

After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. After a DHCP IP address is assigned, a port access control list (port ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

The IP source binding table has bindings that are learned by DHCP snooping or manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.

IP source guard is supported only on Layer 2 ports, including access and trunk ports. IP source guard can be configured for source IP address filtering or with source IP and MAC address filtering.

Additional information about IP source guard is available at Configuring DHCP Features and IP Source Guard.

Cisco IOS NetFlow

Identification

In the case of the SCCP port acan denial of service vulnerability, traffic information from Cisco IOS NetFlow needs to be reviewed to identify anomalous sources of TCP port 2000 (SCCP, hex value 07D0) and TCP port 2443 (SCCPS, hex value 098B).

For the ICMP echo request flood denial of service vulnerability, note that NetFlow indicates the ICMP echo request type and code as the "Destination Port," that is, "0800" is displayed (Type 8, Code 0).

For the IPSec Manager denial of service vulnerability, NetFlow can be used to identify traffic to UDP port 8500 (hex value 2134). In the following example, ICMP echo messages with a source IP address of 192.168.160.107 are sent to CUCM/CUPS systems 192.168.138.23 and 192.168.138.24

Router# show ip cache flow | include DstP|07D0|098B|0800|2134
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.160.132 Gi0/1         192.168.138.23  06 1C85 07D0     1 
Gi0/0         192.168.160.195 Gi0/1         192.168.138.24  06 1D32 07D0     1 
Gi0/0         192.168.160.134 Gi0/1         192.168.138.23  06 1A57 07D0     1 
Gi0/0         192.168.160.110 Gi0/1         192.168.138.24  06 20CA 098B     1 
Gi0/0         192.168.160.110 Gi0/1         192.168.138.24  06 2038 098B     2 
Gi0/0         192.168.160.110 Gi0/1         192.168.138.24  06 18FB 07D0     1 
Gi0/0         192.168.160.105 Gi0/1         192.168.138.24  01 0000 0800     1 
Gi0/0         192.168.160.107 Gi0/1         192.168.138.24  01 0000 0800     1 
Gi0/0         192.168.160.107 Gi0/1         192.168.138.23  01 0000 0800     2 
Gi0/0         192.168.132.45  Gi0/1         192.168.138.24  11 19BB 2134     1 
Gi0/0         192.168.132.44  Gi0/1         192.168.138.23  11 190A 2134     1 

Cisco ASA, PIX, and FWSM Firewalls

Mitigation: Transit Access Control Lists

Transit access control lists (tACLs) can be used on FWSM or ASA devices in front of the vulnerable devices to mitigate the multiple Cisco Unified CallManager and Presence Server denial of service vulnerabilities.

Mitigation of the SCCP port scan denial of service vulnerability is possible by permitting TCP port 2000 (SCCP) and TCP port 2443 (SCCPS) traffic only from the IP addresses of Voice over IP (VoIP) end stations. Mitigation is facilitated when VoIP phones are deployed using a separate voice and data VLAN model. Note that there are other VoIP end stations besides the VoIP phones.

The ICMP echo request flood denial of service vulnerability can be mitigated by blocking ICMP echo messages to the CUCM/CUPS systems. Note that this might affect network management applications and troubleshooting procedures. In the Cisco Unified CallManager call processing IP clustering over WAN deployment model, CUCM systems are deployed in multiple locations.

To mitigate the IPSec Manager denial of service vulnerability, UDP port 8500 needs to be permitted to and from remote CUCM systems. All other sources need to be blocked from accessing UDP port 8500 (with or without remote WAN clustering).

In the following sample transit ACL:

  • CUCM systems are at the 192.168.138.23 and 192.168.138.24 IP addresses. They are reachable via the inside interface.
  • The CUPS system is 192.168.138.25 and is reachable via the inside interface.
  • VoIP endpoints are in the 192.168.128.0/24 and 192.168.150.0/24 IP address space. They are reachable via the outside interface.

Note that the access list uses the object grouping feature, which simplifies the construction of the access list by assigning a name to a list of one or more IP addresses or IP address blocks. Then those named groups can be used in an access control entry (ACE) and the administrator does not have to enter an ACE for each IP address or IP address block separately. The firewall will expand the group ACE into the individual entries that will be seen in the show access-list command output. First the groups are defined:


!-- Network object group for CUCM systems that face the inside interface


object-group network OBJ-INSIDE-CUCM


!-- list each of the IP addresses of CUCM systems


 network-object host 192.168.138.23
 network-object host 192.168.138.24

object-group network OBJ-INSIDE-CUCM-CUPS


!-- list each of the IP addresses of both CUCM and CUPS systems


 network-object host 192.168.138.23
 network-object host 192.168.138.24
 network-object host 192.168.138.25
 

!-- Network object group of endpoints facing the outside interface


object-group network OBJ-OUTSIDE-ENDPOINT


!-- List the IP address or IP address blocks that contain VoIP endpoints.


 network-object 192.168.128.0 255.255.255.0
 network-object 192.168.150.0 255.255.255.0

After the groups are defined, they can be used in the access list:


!-- Allow SCCP and SCCPS traffic only from IP addresses assigned to
!-- Voice over IP endpoints


access-list ACL-OUTSIDE extended permit tcp object-group OBJ-OUTSIDE-ENDPOINT   
            object-group OBJ-INSIDE-CUCM eq 2000
access-list ACL-OUTSIDE extended permit tcp object-group OBJ-OUTSIDE-ENDPOINT   
            object-group OBJ-INSIDE-CUCM eq 2443  
 

!-- Deny SCCP/SCCPS traffic to CUCM systems from other IP addresses


access-list ACL-OUTSIDE extended deny tcp any object-group OBJ-INSIDE-CUCM eq 2000 
access-list ACL-OUTSIDE extended deny tcp any object-group OBJ-INSIDE-CUCM eq 2443


!-- Deny ICMP echo to the local CUCM and CUPS systems
!-- Note this might impact Network Management Stations and troubleshooting procedures


access-list ACL-OUTSIDE extended deny icmp any object-group OBJ-INSIDE-CUCM-CUPS echo


!-- Block UDP port 8500 to the inside CUCM/CUPS systems from other hosts


access-list ACL-OUTSIDE extended deny udp any object-group OBJ-INSIDE-CUCM-CUPS eq 8500 


!-- Permit/Deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations,
!-- including other voice, transit and control protocols to CUCM/CUPS systems



!-- Apply access-list to outside interface

access-group ACL-OUTSIDE in interface outside

Identification: Transit Access Control Lists

In the following example, all CUCM/CUPS systems are facing the inside interface and the show access-list command indicates that 42 packets were blocked for the 192.168.138.23 CUCM/CUPS system. For each of the ACEs that have at least one object group, the ACE is listed first as configured with the group name, then the expanded ACEs are listed with the same ACE line number.

Firewall# show access-list ACL-OUTSIDE
access-list ACL-OUTSIDE; 19 elements
access-list ACL-OUTSIDE line 1 extended permit tcp object-group OBJ-OUTSIDE-ENDPOINT 
            object-group OBJ-INSIDE-CUCM eq 2000 0xd054f5da 
access-list ACL-OUTSIDE line 1 extended permit tcp 192.168.128.0 255.255.255.0 host  
            192.168.138.23 eq 2000 (hitcnt=0) 0x128c3c9f 
access-list ACL-OUTSIDE line 1 extended permit tcp 192.168.128.0 255.255.255.0 host  
            192.168.138.24 eq 2000 (hitcnt=0) 0xd7f06535 
access-list ACL-OUTSIDE line 1 extended permit tcp 192.168.150.0 255.255.255.0 host  
            192.168.138.23 eq 2000 (hitcnt=0) 0x5338ccad 
access-list ACL-OUTSIDE line 1 extended permit tcp 192.168.150.0 255.255.255.0 host  
            192.168.138.24 eq 2000 (hitcnt=0) 0xd281b603 
access-list ACL-OUTSIDE line 2 extended permit tcp object-group OBJ-OUTSIDE-ENDPOINT  
            object-group OBJ-INSIDE-CUCM eq 2443 0xb260844 
access-list ACL-OUTSIDE line 2 extended permit tcp 192.168.128.0 255.255.255.0 host  
            192.168.138.23 eq 2443 (hitcnt=0) 0xd0987243 
access-list ACL-OUTSIDE line 2 extended permit tcp 192.168.128.0 255.255.255.0 host  
            192.168.138.24 eq 2443 (hitcnt=0) 0x16665ff8 
access-list ACL-OUTSIDE line 2 extended permit tcp 192.168.150.0 255.255.255.0 host  
            192.168.138.23 eq 2443 (hitcnt=0) 0x58603227 
access-list ACL-OUTSIDE line 2 extended permit tcp 192.168.150.0 255.255.255.0 host  
            192.168.138.24 eq 2443 (hitcnt=0) 0xfd3e1a80 
access-list ACL-OUTSIDE line 3 extended deny tcp any object-group OBJ-INSIDE-CUCM  
            eq 2000 0xf677709d 
access-list ACL-OUTSIDE line 3 extended deny tcp any host 192.168.138.23 eq 2000  
            (hitcnt=0) 0xdb0430ba 
access-list ACL-OUTSIDE line 3 extended deny tcp any host 192.168.138.24 eq 2000  
            (hitcnt=0) 0xad1014ee 
access-list ACL-OUTSIDE line 4 extended deny tcp any object-group OBJ-INSIDE-CUCM  
            eq 2443 0x6734cf27 
access-list ACL-OUTSIDE line 4 extended deny tcp any host 192.168.138.23 eq 2443  
            (hitcnt=0) 0x37843dd4 
access-list ACL-OUTSIDE line 4 extended deny tcp any host 192.168.138.24 eq 2443  
            (hitcnt=0) 0x2eece9b2 
access-list ACL-OUTSIDE line 5 extended deny icmp any object-group  
            OBJ-INSIDE-CUCM-CUPS echo 0xc8d47a18 
access-list ACL-OUTSIDE line 5 extended deny icmp any host 192.168.138.23 echo  
            (hitcnt=42) 0x63d46eca 
access-list ACL-OUTSIDE line 5 extended deny icmp any host 192.168.138.24 echo  
            (hitcnt=0) 0x7491f7e1 
access-list ACL-OUTSIDE line 5 extended deny icmp any host 192.168.138.25 echo  
            (hitcnt=0) 0xfe6871cf 
access-list ACL-OUTSIDE line 6 extended deny udp any object-group  
            OBJ-INSIDE-CUCM-CUPS eq 8500 0xb35f3669 
access-list ACL-OUTSIDE line 6 extended deny udp any host 192.168.138.23 eq 8500  
            (hitcnt=0) 0x2fc70d6d 
access-list ACL-OUTSIDE line 6 extended deny udp any host 192.168.138.24 eq 8500  
            (hitcnt=0) 0x187b4431 
access-list ACL-OUTSIDE line 6 extended deny udp any host 192.168.138.25 eq 8500  
            (hitcnt=0) 0xbf1c1b4c

In the preceding example, 42 UDP port 8500 packets to 192.168.138.23 were denied.

Identification: Firewall Syslog Messages

Firewall syslog message 106023 will be generated for packets denied by an ACE that does not have the log keyword present. Additional information about this syslog message is available at Cisco Security Appliance System Log Message - 106023.

In the following examples, the show logging | include regex command is used to extract syslog messages from the logging buffer on the firewall.

FWSM# show logging | include 106023
Mar 16 2007 20:58:35: %FWSM-4-106023: Deny udp src outside:192.168.160.132/5158 
dst inside:192.168.138.23/8500 by access-group "ACL-OUTSIDE" [0xb19538ff, 0x2fc70d6d]

Cisco Intrusion Prevention System

The Cisco Intrusion Prevention System (IPS) appliances and services modules can be used to provide threat detection and prevention against attempts to exploit vulnerabilities described in this document.

Potential exploits of the ICMP echo request flood denial of service vulnerability can be detected with signature 6902/0 (Signature Name: Net Flood ICMP Request), starting with signature pack S4. The signature 6902/0 alarm severity defaults to Informational because it might result in false positives.

Starting with signature update S278 for sensors running Cisco IPS version 6.x or 5.x, the IPSec Manager Denial of Service Vulnerability described in this document can be detected by signature 5854/0 (Signature Name: Cisco CUCM/CUPS Denial of Service Vulnerability). Signature 5854/0 is enabled by default and triggers a Medium severity event (see the example later in this section).

Identification: IPS Signatures

IPS signature 5854/1 (Signature Name: Cisco CUCM/CUPS Denial of Service Vulnerability) triggers a medium severity alarm on potential attempts to exploit the SCCP Port Scan Denial of Service vulnerability, which may indicate an attempt to denial service offered by the affected platform. The following medium severity event was triggered by signature 5854/1 after a potential attempt to exploit the vulnerability.

Sensor6x# show events alert | include id=5854
    evIdsAlert: eventId=1166761098236251265 severity=medium vendor=Cisco
      originator:
    hostId: R4-IPS4240a
    appName: sensorApp
    appInstanceId: 380
  time: 2007/04/11 05:15:33 2007/04/11 00:15:33 CDT
  signature: description=Cisco CUCM/CUPS  Denial of Service Vulnerability  
             id=5854 version=S279
    subsigId: 1
    sigDetails: SCCP Port Scan Denial of Service Vulnerability
    marsCategory: DoS/MiscServer
  interfaceGroup: vs0
  vlan: 0
  participants:
    attacker:
      addr: locality=OUT 192.168.208.63
      port: 34917
    target:
      addr: locality=OUT 192.168.132.44
      port: 2000
      os: idSource=unknown relevance=relevant type=unknown
  context:
    fromAttacker:

!--- Output suppressed

  triggerPacket:

!--- Output suppressed

  riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 56
  threatRatingValue: 56
  interface: ge0_0
  protocol: tcp

The following Informational severity event was triggered by signature 6902/0 (Signature Name: Net Flood ICMP Request) after a potential attempt to exploit the ICMP echo request flood denial of service vulnerability.

  
IPS# show events alert past  00:10:00 | include id=6902

evIdsAlert: eventId=1166747458239518346 severity=informational vendor=Cisco 
  originator: 
    hostId: R4-IPS4240a
    appName: sensorApp
    appInstanceId: 480
  time: 2007/03/24 04:15:24 2007/03/23 23:15:24 CDT
  signature: description=Net Flood ICMP Request id=6902 version=S4 
    subsigId: 0
    marsCategory: DoS/Network/ICMP
  interfaceGroup: vs0
  vlan: 0
  participants: 
  alertDetails: MaxPPS during this interval: 5328 ; 
  riskRatingValue: targetValueRating=medium 25
  threatRatingValue: 25
  interface: sy0_0
  protocol: icmp

Notice that the default Target Value Rating of 25 will cause a low risk rating to be evaluated for this event.

Signature 6902/0 is disabled by default. It can be enabled as follows:

IPS# configure terminal
IPS(config)# service signature-definition sig0
IPS(config-sig)# signatures 6902 0
IPS(config-sig-sig)# status
IPS(config-sig-sig-sta)# enabled true
IPS(config-sig-sig-sta)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes
IPS(config)# exit

The following Medium severity event was triggered on a Cisco IPS sensor deployed in promiscuous mode.

IPS signature 5854/0 (Signature Name: Cisco CUCM/CUPS Denial of Service Vulnerability) triggers a medium severity alarm on potential attempts to exploit the IPSec Manager Denial of Service vulnerability., which may indicate an attempt to denial service offered by the affected platform. The following medium severity event was triggered by signature 5854/0 after a potential attempt to exploit the vulnerability.

Sensor6x# show events alert | include id=5854   
evIdsAlert: eventId=1166754278236272652 severity=medium vendor=Cisco 
  originator: 
    hostId: Sensor6x 
    appName: sensorApp 
    appInstanceId: 7007 
  time: 2007/03/30 17:25:02 2007/03/30 12:25:02 CDT 
  signature: description=Cisco CUCM/CUPS  Denial of Service Vulnerability id=5854  
             version=S278 
    subsigId: 0 
    sigDetails: IPSec Manager Denial of Service Vulnerability 
    marsCategory: DoS/MiscServer 
  interfaceGroup: vs0 
  vlan: 0 
  participants: 
    attacker: 
      addr: locality=OUT 192.168.160.193 
      port: 1865 
    target: 
      addr: locality=OUT 192.168.138.24 
      port: 8500 
      os: idSource=unknown relevance=relevant type=unknown 
  triggerPacket: 

     <Output suppressed>
 
  riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 56 
  threatRatingValue: 56 
  interface: ge0_1 
  protocol: udp

Cisco Security Monitoring, Analysis, and Response System

Identification: SCCP Port Scan Denial of Service Vulnerability

The following query will show events triggered by signature 5854/1 that could be associated with attempts to exploit this vulnerability. Note the query is with All Matching Element Raw Messages result format and keyword equal to NR-5854/1.

cisco-amb-20070328-voip5.gif

The following display is the result of the previous query.

cisco-amb-20070328-voip6.gif

Identification: ICMP Echo Request Flood Denial of Service Vulnerability

The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) console can be monitored for attempts to exploit the ICMP echo request flood denial of service vulnerability.

The following query will show events triggered by signatures that could be associated with attempts to exploit this vulnerability.

cisco-amb-20070328-voip1.gif

The following display is the result of the previous query.

cisco-amb-20070328-voip2.gif

Identification: IPSec Manager Denial of Service Vulnerability

The following query will show events triggered by signatures that could be associated with attempts to exploit this vulnerability. Note the query is with All Matching Element Raw Messages result format and keyword NR-5854/0.

cisco-amb-20070328-voip7.gif

The following display is the result of the previous query.

cisco-amb-20070328-voip8.gif

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.2

2007-April-11

Included information about signature pack S279 in IPS Signatures and CS-MARS sections.

Revision 1.1

2007-March-30

Included information about S278 signature in IPS Signatures and CS-MARS sections.

Revision 1.0

2007-March-28

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information


Download this document (PDF)
View Printable Version