Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Cisco Unified Communications Manager Session Initiation Protocol Message Reload Denial of Service Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Denial of Service
IntelliShield ID:16667
Version:1
First Published:September 24, 2008 02:07 PM EDT
Last Published:September 24, 2008 02:07 PM EDT
Vector:Network
Authentication:None
Exploit:Functional
Port:5060 , 5061
CVE:CVE-2008-3800
BugTraq ID:31361 , 31367
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Mild Damage
CVSS Base:7.1 CVSS Calculator
CVSS Version 2
CVSS Temporal:5.9
 
Version Summary:

Cisco Unified Communications Manager contains a vulnerability that could allow an unauthenticated, remote attacker to create a denial of service vulnerability. Updated software is available.

 
 
Description

Cisco Unified Communications Manager contains a vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition.

The vulnerability exists in the Session Initiation Protocol (SIP) service when handling crafted messages under certain conditions, probably operating under heavy traffic conditions. An attacker could exploit this vulnerability by sending a series of malicious SIP messages to the targeted system. Due to an error, the system fails to properly handle the message and reloads, resulting in a DoS condition.

Functional exploit code exists.

Cisco has confirmed this vulnerability and released updated software.
 
Warning Indicators

The following Cisco Unified Communications Manager versions are vulnerable:

  • Cisco Unified Communications Manager prior to 6.1(2)su1
  • Cisco Unified Communications Manager prior to 5.1(3d)
  • Cisco Unified Communications Manager prior to 4.3(2)SR1a
  • Cisco Unified Communications Manager prior to 4.2(3)SR4b
  • Cisco Unified Communications Manager prior to 4.1.3SR8
 
IntelliShield Analysis

To exploit this vulnerability, an attacker must send a malicious SIP message to the affected system. An exploit could cause the affected application to reload and disrupt voice communication services. SIP processing is not enabled by default in the 4.x branch of Cisco Unified CallManager unless an SIP trunk has been configured. On Cisco Unified Communications Manager versions 5.0 and later, SIP handling is enabled by default and cannot be disabled.

The malicious messages used to trigger this vulnerability are valid SIP messages, which makes discovery of an attempted exploit more difficult.

Cisco IOS software shares this same vulnerability, described in IntelliShield alert 16660. However, on Cisco Unified Communications Manager systems, the attack vector has a higher complexity. The attacker would likely need to send a series of malicious packets to a targeted system that is operating under heavy traffic conditions.

Cisco indicated through CVSS scoring the existence of functional exploit code; however, this exploit code is not known to be publicly available.

Versions of Cisco Unified CallManager beyond 4.1 have been renamed Cisco Unified Communications Manager.
 
Vendor Announcements

Cisco has released a security advisory to address Cisco bug ID CSCsu38644 at the following link: cisco-sa-20080924-cucm

 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to cause the Cisco Unified Communications Manager process to reload. This condition could result in a disruption of voice communication services.
 
Technical Information

The vulnerability is due to an error when handling SIP messages that are sent to an affected system while operating under certain conditions. The targeted system would probably be operating under heavy traffic conditions. An unauthenticated, remote attacker could exploit this vulnerability by sending a series of malicious SIP messages to the targeted system. This action could allow the attacker to cause the Cisco Unified Communications Manager process to reload, disrupting voice communication services.

 
Safeguards

Administrators are advised to apply the appropriate update.

Administrators are advised to monitor critical systems for signs of suspicious activity.

Administrators are advised to restrict network access to affected systems to trusted systems or trusted networks.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20080924-sip

 
Patches/Software
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
 
Alert History
 

Initial Release

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoCisco CallManager4.1 Base | 4.1(2) Base | 4.1(2)ES33 Base | 4.1(2)ES50 Base | 4.1(2)SR1 Base | 4.1(3) Base | 4.1(3)2 Base | 4.1(3)SR Base | 4.1(3)SR1 Base | 4.1(3)SR2 Base | 4.1(3)SR3 Base | 4.1(3)SR3b Base | 4.1(3)SR3c Base | 4.1(3)SR4 Base | 4.1(3)SR4b Base | 4.1(3)SR4d Base | 4.1(3)SR5 Base | 4.2(1.02) Base | 4.2(1.05.3) Base | 4.2(1.06) Base | 4.2(1.07) Base | 4.2(1) Base | 4.2(1)SR1b Base | 4.2(3) Base | 4.2(3)SR1 Base | 4.2(3)SR2 Base | 4.3 Base | 4.3(1.57) Base | 4.3(1) Base | 4.3(1)SR Base | 4.3(1)SR1 Base | 4.3(1)SR1a Base | 4.3(1)SR1b Base | 5.0(1) Base | 5.0(2) Base | 5.0(2a) Base | 5.0(3.1101) Base | 5.0(3) Base | 5.0(3a) Base | 5.0(4.2136.001) Base | 5.0(4.2137.001) Base | 5.0(4.2137.002) Base | 5.0(4) Base | 5.0(4a) Base | 5.0(4a)SU1 Base | 5.0(4c) Base | 5.1 Base | 5.1(1.9131.045) Base | 5.1(1) Base | 5.1(1a) Base | 5.1(1b) Base | 5.1(1c) Base | 5.1(2) Base | 5.1(2a) Base | 5.1(2b) Base | 5.1(3) Base | 5.1(3a) Base | 5.1(3b) Base | 5.1(3c) Base | 6.0(0.9901.169) Base | 6.0(0.9901.190) Base | 6.0(1) Base | 6.0(1a) Base | 6.0(1b) Base | 6.1 Base | 6.1(1) Base | 6.1(1a) Base | 6.1(2) Base
CiscoCisco Unified CallManager5.0 (1), (2), (2a), (3), (3.1101), (3a), (4), (4a), (4a)SU1 | 5.1 Base

Associated Products:
N/A


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?