Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Cisco IOS Skinny Call Control Protocol Fragmented Message Denial of Service Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Denial of Service
IntelliShield ID:16670
Version:1
First Published:September 24, 2008 01:26 PM EDT
Last Published:September 24, 2008 01:26 PM EDT
Vector:Network
Authentication:None
Exploit:Functional
Port:2000
CVE:CVE-2008-3810 , CVE-2008-3811
BugTraq ID:31359
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Mild Damage
CVSS Base:7.8 CVSS Calculator
CVSS Version 2
CVSS Temporal:6.4
 
Version Summary:

Cisco IOS software contains a vulnerability when handling Skinny Call Control Protocol messages that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updated software is available.

 
 
Description

Cisco IOS software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability exists due to an error by the Network Address Translation (NAT) Skinny Call Control Protocol (SCCP) Fragmentation Support feature. This feature allows Cisco IOS devices to communicate using fragmented SCCP messages. An unauthenticated, remote attacker could exploit this vulnerability by sending fragmented SCCP messages to the targeted device. The malicious messages could cause the targeted device to reload, disrupting normal services.

Functional exploit code exists.

Cisco has confirmed this vulnerability and released updated software.
 
Warning Indicators

Cisco has published a list of affected Cisco IOS products in the security advisory. Products in this list are only vulnerable if they are configured to perform NAT.
 
IntelliShield Analysis

In order for an attacker to exploit the vulnerability, the fragmented SCCP packets must undergo NAT. NAT can occur if a remote attacker on the private network side of the affected device sends fragmented SCCP packets through the affected device, either to the WAN interface or through the device to an external IP address.

Cisco indicated through CVSS scoring the existence of functional exploit code; however, this exploit code is not known to be publicly available.

 
Vendor Announcements

Cisco has released a security advisory for Cisco bug IDs CSCsg22426 and CSCsi17020 at the following link: cisco-sa-20080924-sccp

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to cause the targeted device to reload, disrupting normal services.
 
Technical Information

The vulnerability affects Cisco IOS devices that are configured to perform NAT. On affected systems, this configuration will enable the NAT SCCP Fragmentation Support feature. An unauthenticated, remote attacker could exploit this vulnerability by sending a series of fragmented SCCP messages to the targeted device. Such messages could cause the targeted device to reload, disrupting normal services.
 
Safeguards

Administrators are advised to apply the appropriate updates.

Administrators may consider disabling SCCP NAT support on affected devices.

Administrators are advised to monitor affected systems for signs of exploitation.
 
Patches/Software

Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
 
Alert History
 

Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoIOS12.4MD Base | 12.4MR Base | 12.4SW Base | 12.4T Base | 12.4XC Base | 12.4XE Base | 12.4XF Base | 12.4XG Base | 12.4XJ Base | 12.4XK Base | 12.4XL Base | 12.4XM Base | 12.4XN Base | 12.4XP Base | 12.4XT Base | 12.4XV Base | 12.4XW Base

Associated Products:
N/A


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?