Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
3
Replies

default sip with 12.4(13r)T

lukasdrbo
Level 1
Level 1

‎04-23-2008 02:16 AM - edited ‎03-15-2019 10:14 AM

Hello all,

i use router 2811 with cm express for isdn dialing to pstn. my isp inform me that i have high voice traffic to some countries in asia and africa. i debuged it - all calls were over sip, which was enable on public interface in the default sip cfg (i didnt see anything about enable sip in the startup-config). now i disable tcp/udp sip transport, everything is ok but can you explain me what is possible or where is problem ?

thank you.

lukas

my hw:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, RELEASE SOFTWARE (fc3) - c2800nm-advipservicesk9-mz.124-9.T7.bin"

sh sip-ua calls

SIP UAC CALL INFO

Number of SIP User Agent Client(UAC) calls: 0

SIP UAS CALL INFO

Call 1

SIP Call ID : 082b950025e80d108000001517184ec8@server480.none.com

State of the call : STATE_RECD_INVITE (11)

Substate of the call : SUBSTATE_NONE (0)

Calling Number : 1111

Called Number : 9009595036838

Bit Flags : 0x40401E 0x100 0x404

CC Call ID : 39669

Source IP Address (Sig ): my ip

Destn SIP Req Addr:Port : unknown ip:5060

Destn SIP Resp Addr:Port: unknown ip:5060

Destination Name : unknown ip

Number of Media Streams : 1

Number of Active Streams: 1

RTP Fork Object : 0x0

Media Mode : flow-through

Media Stream 1

State of the stream : STREAM_ACTIVE

Stream Call ID : 39669

Stream Type : voice+dtmf (1)

Negotiated Codec : g723r63 (24 bytes)

Codec Payload Type : 4

Negotiated Dtmf-relay : rtp-nte

Dtmf-relay Payload Type : 101

Media Source IP Addr:Port: my ip:17172

Media Dest IP Addr:Port : unknown ip:19056

Orig Media Dest IP Addr:Port : 0.0.0.0:0

Labels:
0 Helpful
3 Replies 3

Stoyan Stoitsev
Level 8
Level 8

‎04-23-2008 04:06 AM

Hi,

Check this info

http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml#@ID

Basicly SIP, H.323 and MGCP ports stay open no matter if you have configured/enabled any of these services and any one can connect to the router on port 5060 (for example) and if he guesses the righ pattern to go out through your pots dial-peers you'll get a quite nice bill from your telco ;)

So deny any ports that these protocols use if you have ISDN and internet on the same router. Permit them only from trusted hosts if that is possible and always put the sip no transport tcp/udp if you dont use SIP.

Use show tcp all brief and show ip sockets (if available in your IOS) to see on what ports your router is listening.

One of our clients said goodbuy to a couple of thousand dollars the day before this advisory was posted.

BR,

Stoyan

0 Helpful

lukasdrbo
Level 1
Level 1
In response to Stoyan Stoitsev

‎04-23-2008 05:32 AM

Hi Stoyan,

thank you for info. i read your advisory link but if i understand (there are many info about device crash) main reason of my problem could be this " can potentially lead to remote code execution" ? if yes, do you have any sample code please ?

lukas

0 Helpful

Stoyan Stoitsev
Level 8
Level 8
In response to lukasdrbo

‎04-23-2008 06:51 AM

As I told you, your router listens on these ports and it is possible that some one can remotely "execute code" on them, i.e. send call-setup signalization and eventually make a call. This does not meen that the have accessed the router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents