Cisco: Multiple Vulnerabilities in Cisco PGW Softswitch

Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch series of products and they are related to processing Session Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP) messages.

SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol.

MGCP is the protocol for controlling telephony gateways from external call control elements known as media gateway controllers or call agents. A telephony gateway is a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or other packet networks.

Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch SIP implementation, and one vulnerability is in the MGCP implementation.

The following vulnerabilities can cause affected devices to crash:

  • CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
  • CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
  • CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
  • CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
  • CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
  • CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
  • CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
  • CSCsz13590 (registered customers only), CVE ID CVE-2010-1567

The following vulnerability may cause an affected device to be unable to accept or create a new TCP connection. Existing calls will not be terminated, but no new SIP connections will be established. If exploited, this vulnerability will also prevent the device from establishing any new HTTP, SSH or Telnet sessions.

  • CSCsk13561 (registered customers only), CVE ID CVE-2010-1565

There are no workarounds for the vulnerabilities in this advisory.


Great tool for testing QoS implementation

After my last post, some readers were asking what tool did I used for testing the QoS and how satisfied I’m with it.

The name of the tool is Packgen. According to its developer developers, “Packgen is a simple network packet generator handling diffserv markers, useful for testing network bandwidth and QoS.” It support features like:
– Network packet flows generation with given bandwidth (packets sent at each time interval depending on the bandwidth to produce and the size of the packets to generate);
– UDP and TCP flows;
– DSCP marking;
– Log generation which gives the possibility to compute statistics on the flows (to come later).

The main difference between IPerf (which is also a great testing tool, especially for bandwidth, jitter, packet loss tests…) and Packgen, is that the last one support diffserv marking natively. Of course you can achieve the same results with IPerf, with and ACL and inbound marking of the packets matched in the access-list, but with Packgen this is straight forward.

I had a little issue when downloading this tool, as the first result in Google search engine directed me to a page with no download link: This contains all the needed information about features, installation and how to use it (actually one of the best README that I ever saw for such tools), but no suggestion where to download the package. I search a little bit and you can download it from this official link.

To install this tool, you need to have Ruby on your system and then just run from inside the unpacked Packgen folder:

ruby ./setup.rb

Now some words about how to use it. From my post about AutoQoS, you can see that you need at least one client and one server. This 2 devices, use different files with Packgen (Don’t worry as the files come in the source package and if not, it’s very easy to create them).
First the server file, called listen.yml (if you create it, you can give whatever name you want) looks like this:



ports: !ruby/range 17000..17002

ports: !ruby/range 5002..5004

As you can see, there are 2 sections defined for UDP and TCP traffic. Then with “!ruby/range” you define a range where the server will listen. However, you can also simply use an Integer port number.

Then on theĀ  client side, there is file called sent.yml:



name: Voice
bandwidth: 700Kb
packet_size: 252B
dscp: ef !ruby/range 0.0..60.0

name: Video
bandwidth: 2.8Mb
packet_size: 750B
dscp: cs4 !ruby/range 10.0..60.0

name: Best Effort
bandwidth: 3.2Mb
packet_size: 1KB !ruby/range 20.0..60.0

name: Background
bandwidth: 3.2Mb
packet_size: 1KB
dscp: cs1 !ruby/range 30.0..60.0

Here it’s a little bit more complex, but still human readable. This file also have 2 sections for UDP and TCP traffic, with the following paramters being defined:

-name: I believe it say everything
-host: ServerIP:port
-bandwidth: bandwidth to simulate
-packet size: packet in size in B, KB
-dscp: value !ruby/range: time intervals

After everything is defined, you just have to run Packgen to test.
On Server side first:

packgen -i listen.yml

Then on Client side:

packgen -i sent.yml

Optional you can add the -l file option, which will log the traffic send:

1258663872.6248 SEND dest=
1258663882.62591 SEND dest=
1258663895.65219 SEND dest=
1258663905.66876 SEND dest=
1258663933.72797 STOP dest=

or received:

1258663869.80496 LISTEN port=16384 proto=udp
1258663869.81079 LISTEN port=16385 proto=udp
1258663869.81441 LISTEN port=5002 proto=tcp
1258663869.81506 LISTEN port=5003 proto=tcp
1258663872.5886 RECV sent_at=1258663872.64102 flow=0 size=252 id=6
1258663872.58893 RECV sent_at=1258663872.64613 flow=0 size=252 id=7
1258663872.58903 RECV sent_at=1258663872.64719 flow=0 size=252 id=8
1258663872.58915 RECV sent_at=1258663872.65052 flow=0 size=252 id=9
1258663872.58924 RECV sent_at=1258663872.6742 flow=0 size=252 id=10

The configuration files and logs excerpt were from my AutoQos test. If you have any issues with using it, please contact me, or just check in details the documentation from developers site.