Cisco: Multiple Vulnerabilities in Cisco PGW Softswitch

Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch series of products and they are related to processing Session Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP) messages.

SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol.

MGCP is the protocol for controlling telephony gateways from external call control elements known as media gateway controllers or call agents. A telephony gateway is a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or other packet networks.

Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch SIP implementation, and one vulnerability is in the MGCP implementation.

The following vulnerabilities can cause affected devices to crash:

  • CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
  • CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
  • CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
  • CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
  • CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
  • CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
  • CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
  • CSCsz13590 (registered customers only), CVE ID CVE-2010-1567

The following vulnerability may cause an affected device to be unable to accept or create a new TCP connection. Existing calls will not be terminated, but no new SIP connections will be established. If exploited, this vulnerability will also prevent the device from establishing any new HTTP, SSH or Telnet sessions.

  • CSCsk13561 (registered customers only), CVE ID CVE-2010-1565

There are no workarounds for the vulnerabilities in this advisory.

Read more on http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml

Cisco: CUCM DoS Vulnerabilities

Cisco Unified Communications Manager (formerly Cisco CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption of voice services. The Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and Computer Telephony Integration (CTI) Manager services are affected by these vulnerabilities.

To address these vulnerabilities, Cisco has released free software updates for select Cisco Unified Communications Manager versions. There is a workaround for of one the vulnerabilities.

The following products are affected by vulnerabilities that are described in this advisory:

* Cisco Unified Communications Manager 4.x
* Cisco Unified Communications Manager 5.x
* Cisco Unified Communications Manager 6.x
* Cisco Unified Communications Manager 7.x

Administrators can mitigate the SCCP- and SIP-related vulnerabilities by implementing filtering on screening devices to permit access to TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only from networks that require SCCP and SIP access to Cisco Unified Communications Manager appliances.

It is possible to mitigate the CTI Manager vulnerability by disabling the CTI Manager service t is not necessary; however, this workaround will interrupt applications that reply on the CTI Manager service. Administrators can also mitigate the vulnerability by implementing filtering on screening devices to permit access to TCP port 2748 only from networks that require access to the CTI Manager service.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100303-cucm.shtml

Multiple Vulnerabilities in Cisco ASA 5500 Series

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.

There are workarounds for some of the vulnerabilities disclosed in this advisory.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml

Cisco FWSM SCCP Inspection DoS Vulnerability

A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled.

Cisco has released free software updates that address this vulnerability.

All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default.

To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows:

fwsm#show service-policy | include skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0

If SCCP inspection is not required, this vulnerability can be mitigated by disabling it. Administrators can disable SCCP inspection by issuing the no inspect skinny command in class configuration sub-mode within the policy map configuration. If SCCP inspection is required, there are no workarounds.

Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml

SNMP Version 3 Authentication Vulnerabilities

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

Vulnerable products:
# Cisco IOS
# Cisco IOS-XR
# Cisco Catalyst Operating System (CatOS)
# Cisco NX-OS
# Cisco Application Control Engine (ACE) Module
# Cisco ACE Appliance
# Cisco ACE XML Gateway
# Cisco MDS 9000 Series Multilayer Fabric Switches
# Cisco Wireless LAN Controller (WLC)
# Cisco Application and Content Networking System (ACNS)
# Cisco Wide Area Application Services (WAAS)
# Cisco MGX 8850, 8880 Media Gateway and Switch
# Cisco PSTN Gateway (PGW2200)

Read more on Cisco Security Advisory