Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Cisco IOS Software Session Initiation Protocol Message Memory Leak Denial of Service Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Denial of Service
IntelliShield ID:16651
Version:1
First Published:September 24, 2008 01:26 PM EDT
Last Published:September 24, 2008 01:26 PM EDT
Vector:Network
Authentication:None
Exploit:Functional
Port:5060
CVE:CVE-2008-3799
BugTraq ID:31361
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Mild Damage
CVSS Base:7.8 CVSS Calculator
CVSS Version 2
CVSS Temporal:6.4
 
Version Summary:Cisco IOS Software contains a vulnerability when processing SIP messages as a part of VoIP services that could allow an unauthenticated, remote attacker to cause a denial of service condition.  Updates are available.
 
 
Description

Cisco IOS products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability exists due to an error when these products process Session Initiation Protocol (SIP) messages when providing Voice over IP (VoIP) services.  A memory leak can occur during the processing of valid SIP messages.  After repeated exploitation, the VoIP services on the affected device may stop processing requests.  This could result in a DoS condition on any telephony services that were being provided.  In addition, the excessive consumption of system memory by the VoIP handling services may cause the affected device to process traffic more slowly than usual.  If the exploitation continues, it may result in a reload or prevent the device from processing requests altogether.

Functional exploit code exists.

Cisco has confirmed this vulnerability in a security advisory and released updated software.
 
Warning Indicators

A complete list of affected Cisco IOS devices is available at the following link: cisco-sa-20080924-sip

Systems running an affected Cisco IOS version are vulnerable only if they have been configured to process SIP messages as a part of VoIP services.  Systems that allow SIP messages to pass through or that only perform network address translation (NAT) on transiting SIP messages are not affected.
 
IntelliShield Analysis

Although in most cases it would be necessary for VoIP services to be explicitly enabled on a device, such as by using a dial-peer command, many older versions of Cisco IOS Software enabled SIP processing by default.  This was documented in bug ID CSCsb25337, as described in IntelliShield Alert 12580.  A fix was made available as well.  Systems that were affected by the vulnerability associated with this bug ID and not yet patched would also be susceptible to exploitation of the vulnerability described in this alert.  

Cisco indicated through CVSS scoring the existence of functional exploit code; however, this exploit code is not known to be publicly available.
 
Vendor Announcements

Cisco has released a security advisory for Cisco Bug ID CSCse56800 at the following link: cisco-sa-20080924-sip 
 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to cause the affected system to needlessly allocate large amounts of system memory.  This memory allocation may result in traffic processing that is slower than normal or possibly cause a reload of the affected device.  In any event, exploitation may result in a DoS condition on telephony services, which would prevent the handling of SIP messages as a part of VoIP processing.
 
Technical Information

This vulnerability can occur on an affected device during the processing of valid SIP messages.  If the device has a listener for SIP traffic, which is likely to be on UDP or TCP port 5060, an unauthenticated, remote attacker could exploit this vulnerability by sending valid SIP messages to the affected system.  SIP messages that meet certain undisclosed criteria can cause the services that handle SIP traffic as a part of VoIP processing to consume system memory unnecessarily.  Repeatedly sending malicious SIP messages to an affected system can cause the VoIP processing service to stop handling requests, resulting in a DoS condition.

Excessive use of system memory on the device by the affected service may also slow the response time of the device, potentially leading to a reload or a device state in which requests are no longer processed.  In either case, the result would be a complete DoS condition on the affected device.
 
Safeguards

Administrators are advised to apply the appropriate patches.

Administrators are advised to disable the processing of SIP messages by any VoIP services if they are not needed for business purposes.

Administrators are advised to monitor critical systems for signs of exploitation.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20080924-sip
 
Patches/Software

Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
 
Alert History
 

Initial Release

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoIOS12.2B Base | 12.2BX Base | 12.2BY Base | 12.2CZ Base | 12.2MC Base | 12.2T Base | 12.2tpc Base | 12.2XB Base | 12.2XM Base | 12.2XT Base | 12.2XU Base | 12.2XW Base | 12.2YA Base | 12.2YB Base | 12.2YC Base | 12.2YD Base | 12.2YF Base | 12.2YH Base | 12.2YJ Base | 12.2YL Base | 12.2YM Base | 12.2YN Base | 12.2YT Base | 12.2YU Base | 12.2YV Base | 12.2YW Base | 12.2YY Base | 12.2ZB Base | 12.2ZC Base | 12.2ZD Base | 12.2ZE Base | 12.2ZF Base | 12.2ZH Base | 12.2ZJ Base | 12.2ZL Base | 12.2ZP Base | 12.3 Base, T | 12.3B Base | 12.3T Base | 12.3TPC Base | 12.3VA Base | 12.3XA Base | 12.3XB Base | 12.3XC Base | 12.3XD Base | 12.3XE Base | 12.3XF Base | 12.3XG Base | 12.3XI Base | 12.3XJ Base | 12.3XK Base | 12.3XL Base | 12.3XQ Base | 12.3XR Base | 12.3XU Base | 12.3XW Base | 12.3XX Base | 12.3XY Base | 12.3XZ Base | 12.3YF Base | 12.3YG Base | 12.3YK Base | 12.3YM Base | 12.3YQ Base | 12.3YS Base | 12.3YT Base | 12.3YU Base | 12.3YX Base | 12.3YZ Base | 12.3ZA Base | 12.4 Base | 12.4MR Base | 12.4T Base | 12.4XA Base | 12.4XB Base | 12.4XC Base | 12.4XD Base | 12.4XE Base | 12.4XJ Base | 12.4XL Base | 12.4XP Base | 12.4XT Base | 12.4XV Base | 12.4XW Base | 12.4XY Base

Associated Products:
N/A


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?