A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device.
The vulnerability is due to incorrect processing of specific SIP messages. An attacker could exploit this vulnerability by sending a crafted SIP message on an established call or initiating a call that includes the crafted SIP message, which would trigger a device reload. Only traffic destined to the device can trigger the vulnerability; transit SIP traffic is not an exploit vector. This vulnerability can be exploited with SIP over IP version 4 (IPv4) or IP version 6 (IPv6) communications protocol. This vulnerability can be exploited with SIP over UDP traffic or SIP over TCP traffic.
Cisco has confirmed the vulnerability in a security advisory and released software updates.
Indicators of Compromise
Devices running an affected release of Cisco IOS Software and configured to process SIP messages are vulnerable. Customers are advised to use the Cisco IOS Software Checker tool to determine whether devices are running an affected release of Cisco IOS Software. The tool also provides information about releases that correct the vulnerabilities.
Cisco has published a list of affected Cisco IOS XE Software releases in the security advisory. The "Vendor Announcements" section of this alert contains a link to the advisory.
The vulnerability is due to improper processing of specific SIP messages by an affected device.
An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted SIP message on an established call or initiating a call including the crafted SIP message destined to a targeted device. A successful exploit could cause the targeted device to reload, resulting in a DoS condition.
To exploit this vulnerability, an attacker may need access to trusted, internal network resources behind a firewall to send crafted SIP messages to a targeted device. This access requirement reduces the possibility of a successful exploit. In addition, the attacker may need to acquire additional information prior to an exploit attempt, such as whether the targeted device is configured to process SIP messages.
It is possible that an attacker may attempt to spoof the source address of an IP packet because SIP can use UDP as a transport protocol. This could allow the attacker to bypass access control lists that permit communication to SIP ports from trusted IP addresses. To limit the appearance of spoofed addresses on a trusted, enterprise network, administrators can use Unicast Reverse Path Forwarding.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Administrators are advised to apply the appropriate updates.
Administrators may consider disabling SIP listening ports for devices that do not require SIP. Administrators are advised to review the "Workarounds" section in the security advisory and consider the warning note if applying this workaround.
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at firstname.lastname@example.org.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.