‘Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities’

Summary

Cisco Unified Communications Manager contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages.’

Credit:

‘The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20100922-cucmsip.shtml


Details

Vulnerable Systems:
 * Cisco Unified Communications Manager 6.x
 * Cisco Unified Communications Manager 7.x
 * Cisco Unified Communications Manager 8.x

Immune Systems:
 * Cisco Unified Communications Manager 4.x

Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061 and UDP ports 5060 and 5061) are affected. Exploitation of these vulnerabilities could cause an interruption of voice services.

Patch Availability:
Please refer to section ‘Software Versions and Fixes’ at:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-cucmsip.shtml

Workaround:
Cisco Unified Communication Manager versions 6.1, 7.1 and 8.0 introduced the ability to disable SIP processing. SIP processing is enabled by default. Use the following instructions to disable SIP processing:

Step 1: Log into the Cisco Unified CM Administration web interface.

Step 2: Navigate to System > Service Parameters and select the appropriate Cisco Unified Communications Manager server and the ‘Cisco CallManager’ service.

Step 3: Change the ‘SIP Interoperability Enabled’ parameter to False, and click Save.

For information on how to restart the service, refer to the ‘Restarting the Cisco CallManager Service’ section of the document at:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124

CVE Information:
CVE-2010-2835
CVE-2010-2834

Disclosure Timeline:
2010-September-22 Public Release’

Categories: News