There are no workarounds for the vulnerabilities described in this
It is possible to mitigate this vulnerability by implementing filtering
on screening devices and permitting access to TCP ports 5060 and 5061 and to
UDP ports 5060 and 5061 only from networks that require SIP access to Cisco
Unified Communications Manager servers.
If Cisco Unified Communications Manager does not need to provide SIP
services, administrators can configure the Cisco Unified Communications Manager
to listen for SIP messages on non-standard ports. Use the following
instructions to change the ports from their default values:
Step 1: Log into the Cisco Unified Communications
Manager Administration web interface.
Step 2: Navigate to System > Cisco Unified CM and
locate the appropriate Cisco Unified Communications Manager.
Step 3: Change the SIP Phone Port and SIP Phone Secure
Port fields to a non-standard port and click Save.
The SIP Phone Port, which is set to 5060 by default, refers to the TCP
and UDP ports on which the Cisco Unified Communications Manager listens for
normal SIP messages. SIP Phone Secure Port, which is set to 5061 by default,
refers to the TCP port on which the Cisco Unified Communications Manager
listens for SIP over Transport Layer Security (TLS) messages. For additional
information about this procedure, refer to the "Updating a Cisco Unified
Communications Manager" section of the "Cisco Unified Communications Manager
Administration Guide" at:
Note: For a SIP port change to take effect, the Cisco
CallManager Service must be restarted. For information on how to restart the
service, refer to the "Restarting the Cisco CallManager Service" section of the
administration guide at:
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory: