!- Apply access-list to all interfaces (only one exampleįor further guidelines and recommendations for deployment techniques for iACLs, see the white paper Protecting Your Core: Infrastructure Protection Access Control Lists and the Cisco Guide to Harden Cisco IOS Devices. !- accordance with existing security policies and !- Permit/deny all other Layer 3 and Layer 4 traffic in
!- Deny SIP traffic from all other sources destinedĪccess-list 150 deny udp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060Īccess-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060Īccess-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 5061 To help protect all devices with IP addresses in the infrastructure IP address range, customers are advised to include the following iACL example as part of the deployed iACL: !. Using iACLs is a network security best practice and should be considered as a long-term addition to good network security as well as a mitigation for this specific issue. Router(config-sip-ua)#no transport tcp tlsĪlternatively, customers can block traffic targeted to the designated SIP ports using infrastructure access control lists (iACLs).
#Sip definition xe software#
There are no workarounds that address this vulnerability.Ĭustomers who do not use any SIP feature but who have other voice-related features enabled, which automatically enable the SIP processes in Cisco IOS Software and Cisco IOS XE Software releases prior to Release 16.11, can shut down the SIP ports by issuing the following commands in global configuration mode: Router(config)#sip-ua The following example shows the output of the show processes | include CCSIP_SPI_CONTRO command on a device that has at least one of the affected features enabled and is thus vulnerable: Router# show processes | include CCSIP_SPI_CONTROĦ71 Mwe 561F108FE8BA 10 11 909234584/240000 0 CCSIP_SPI_CONTROĮmpty output of this command would indicate that none of the affected features are enabled and the device is not vulnerable. To determine whether a device is vulnerable, administrators can use the show processes | include CCSIP_SPI_CONTRO command in the CLI and look for the presence of the CCSIP_SPI_CONTRO process. Cisco Unified Survivable Remote Site Telephony (SRST)įor more information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.Cisco IOS Gateways with Session Initiation Protocol (SIP).Cisco Unified Communications Manager Express (CME).This vulnerability affects Cisco routers that are running a vulnerable release of Cisco IOS or IOS XE Software with any of the following features enabled: For a complete list of the advisories and links to them, see Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This advisory is part of the September 25, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. This advisory is available at the following link: There are no workarounds that address this vulnerability. This triggers a reload of the device.Ĭisco has released software updates that address this vulnerability. An exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the iosd process.
An attacker could exploit this vulnerability by sending a sequence of malicious SIP messages to an affected device. The vulnerability is due to insufficient sanity checks on an internal data structure. A vulnerability in the common Session Initiation Protocol (SIP) library of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.
0 kommentar(er)
