Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Response

Cisco IP Phone 7940 DoS Exploit posted on milw0rm.com

Document ID: 569

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060113-ip-phones

Revision 1.1

For Public Release 2006  January  13 21 : 30  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This is a response to the Cisco IP Phone DoS exploit posted to http://www.milw0rm.com/ on January 10, 2006. The exploit sends a SYN flood that will cause affected phones to reload. Although comments within the code suggest that port 80 should be targeted, the vulnerability resides in the IP stack of the device and can be exploited on any port, regardless of whether the phone is listening.

Cisco has introduced changes to the firmware for 7940 and 7960 IP Phones that will reduce the impact of a denial of service attack. Starting with firmware revision 7.1(1), IP phones that are subject to DoS attacks have the capability to perform load control using TCP throttling. Although it may not be possible to maintain normal operation during an attack, the phones will not reload.

The changes mentioned above are documented in Cisco bug ID CSCef33398 ( registered customers only)

This vulnerability was first reported to Cisco by Knud Erik Højgaard; we thank him for making us aware of this issue. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Additional Information

It is important to note that Cisco best practices for IP Telephony include several recommendations that isolate and protect IP phones from many common attacks. For optimum functionality, these devices should be deployed in accordance with those recommendations. For more information, please see:

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.1

2006-January-13

Updated the Cisco Response section.

Revision 1.0

2006-January-13

Initial public release

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version