Networking

Lock IT Down: SIP flaw leads to multiple Cisco vulnerabilities

Learn how a flaw in the Session Initiation Protocol (SIP) could lead to a compromise of Cisco devices.


A recently discovered flaw in the Session Initiation Protocol (SIP) is responsible for a number of security problems in several Cisco products. These holes in SIP can result in denial-of-service events as well as possible system penetration and complete compromise of the affected device.

Details
A recent CERT Advisory (CA-2003-06) and a Cisco bulletin initially released on February 21 detail these threats as well as possible workarounds. Since SIP supports vital services on many networks, it can’t simply be disabled or blocked on all affected installations.

SIP is an application layer signaling protocol used during Internet sessions to initiate conferencing, telephony, presence, events notification, and instant messaging. It was developed through the IETF SIP working group, and a number of related RFCs are linked from the Columbia University SIP page. SIP was originally just an academic exercise, but it has been developed and integrated into some important commercial applications. The controlling specifications are found in RFC3261.

These vulnerabilities were reported by Oulu University Secure Programming Group (OUSPG Finland), which previously discovered problems in LDAP and SNMP that resulted in earlier CERT bulletins. The vulnerabilities were found using the university’s PROTOS test suite for Protocol Implementations. The results of the testing are presented in great detail here.

In addition to the spreading use of SIP in VOIP applications, OUSPG cites the following reasons for selecting the SIP protocols for testing:

"SIP is being adopted by the Third Generation Partnership Project (3GPP) as part of the third generation mobile architecture.

"The SIP family of specifications is expanding and some aspects are under development. This encourages SIP as a natural candidate for experimenting with iterative improvement of a robustness test-suite with more comprehensive releases to follow.

"HTTP-like ASCII presentations of the SIP messages may initially attract more script-kiddie level hostility (vulnerability assessment) than the rival protocols with complex encodings have attracted so far.”

Applicability
Cisco reports that the SIP vulnerability affects these products:
  • Cisco IP Phone Model 7940/7960 running SIP images prior to 4.2
  • Cisco Routers running Cisco IOS 12.2T and 12.2 "X" trains
  • Cisco PIX Firewall running software versions with SIP support, beginning with version 5.2(1) and up to, but not including, versions 6.2(2), 6.1(4), 6.0(4), and 5.2(9)

Additional details on how these products are affected are available in Cisco's security advisory on this flaw.

Besides Cisco, several other vendors have products that use SIP. Here's a look at how some of the most prominent vendors are affected by this vulnerability:
  • Nortel reports that its Succession Communication Server 2000 and SCS2000-compact where SIP-T is used will require a patch. Nortel Networks says it will release the patch soon.
  • IPTel reports that versions of SIP Express Router through 0.8.9 are vulnerable. The company recommends an immediate upgrade to 0.8.10 and suggests that users also apply a patch to the upgrade. Click here for more information.
  • According to the CERT vendor listing, Lucent is still testing its products.
  • Nokia reports that its VPN products don’t initiate SIP sessions.
  • NEC has reported that some products, including the IX 1000/2000/5000 Router Series, have already been tested and do not support SIP, but the company is still testing other products.
  • Microsoft products use SIP clients but are not affected by this threat.

Risk level—serious
This flaw could result in a denial of service (DoS) attack and/or the compromise of affected systems.

Fix
Of course, you should disable SIP services if they are not used, but this isn’t always practical. Until patches or updates have been made available and installed, there are some workarounds, such as filtering or blocking access to SIP services on the local network.

The CERT bulletin reports that the following ports might be blocked in some instances:
sip     5060/udp     # Session Initiation Protocol (SIP)
sip     5060/tcp     # Session Initiation Protocol (SIP)
sip     5061/tcp     # Session Initiation Protocol (SIP) over TLS


However, you should also keep in mind that blocking SIP could also prevent access to some utilized services.

Final word
If you—like most of us—are interested in the proper release of information about vulnerabilities such as this one (and others I feature in this column), the University of Oulu offers an excellent resource on this topic that includes various links on vulnerability disclosure policies.

Editor's Picks