TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Cisco Unified Communications Manager is prone to a denial-of-service vulnerability. |
| PLATFORM: | Cisco Unified Communication Manager 7.0(2), Cisco Unified Communication Manager 7.0,Cisco Unified Communication Manager 6.1(3), Cisco Unified Communication Manager 6.1(1), Cisco Unified Communication Manager 5.1(3e), Cisco Unified Communication Manager 5.1(3e), Cisco Unified Communication Manager 5.0 |
| ABSTRACT: | Successful exploitation of the vulnerability that is described in this advisory could result in a reload of the Cisco Unified Communications Manager process, which may result in the interruption of voice services. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-238.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36496/info Cisco Website http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8118.shtml |
| CVE: |
CVE-2009-2864 |
| IMPACT ASSESSMENT: | This risk is medium. An attacker can exploit this issue to cause an interruption in voice services, denying service to legitimate users. |
[***** Start CVE-2009-2864 *****] Discussion: A DoS vulnerability exists in the SIP implementation of the Cisco Unified Communications Manager. This vulnerability could be triggered when Cisco Unified Communications Manager processes crafted SIP messages. An exploit could lead to a reload of the main Cisco Unified Communications Manager process. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible enough to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol. Workaround: There are no workarounds for this vulnerability. It is possible to mitigate this vulnerability by implementing filtering on screening devices and permitting TCP/UDP access to ports 5060 and TCP/5061 only from networks that require SIP access to Cisco Unified Communications Manager servers. If Cisco Unified Communications Manager does not need to provide SIP services, administrators can configure the Cisco Unified Communications Manager to listen for SIP messages on non standard ports. Use the following instructions to change the ports from their default values: Step 1 Log into the Cisco Unified CallManager Administration web interface. Step 2 Navigate to System > Cisco Unified CM and locate the appropriate Cisco Unified Communications Manager. Step 3 Change the fields SIP Phone Port and SIP Phone Secure Port fields to a non standard port and click Save. SIP Phone Port, which is 5060 by default, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for normal SIP messages, and SIP Phone Secure Port, by default 5061, refers to the TCP port where the Cisco Unified Communications Manager listens for SIP over TLS messages. For additional information about this procedure, refer to the "Updating a Cisco Unified Communications Manager" section of the "Cisco Unified Communications Manager Administration Guide" at http://www.cisco.com/en/US/docs/voice_ip_comm/cucmbe/admin/7_0_1/ccmcfg/b02ccm.html#wp1057513. Note: For a SIP port change to take effect, the Cisco CallManager Service must be restarted. Solution: Cisco has released free software updates that address this vulnerability. [***** End CVE-2009-2864 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov