Solved: IOS SIP vulnerability

paa · ‎09-14-2008

Hi! I find a very dangerous vulnerability in IOS. I have a 2811 with an E1 connection to ISP and a h323 connection to remote office. I find out, that my router gets many-many SIP INVITE messages and establishs connection from anywhere to anywhere throught my ISP! I don't use any SIP-phones or any SIP connection to ISP. So, I blocked incoming packets to my router on port 5060.

IOS c2800nm-advipservicesk9-mz.124-15.T4.bin

Why IOS don't block incoming SIP INVITE if I don't have any sip dial-peers and dont' have a config wth "allow connection from sip to"? It is like an open relay in e-mail terminalogy!!! If I want to use SIP, how can I protect my router?

gogasca · ‎09-14-2008

Hi sir,

We assume there is some security

configured at all. IOS firewall, ACL on outside interface, IDS, etc.

Once we have that, you can take a look at

some issue we have when SIP was running per default leading to a vulnerable system state.

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

CSCsb25337

CSCsh58082

Workarounds are also listed

I understand your concern with peer to peer protocols like H323 and SIP in which the gateway just becomes 'sitting duck' for exploit attempts.

HTH

View solution in original post

gogasca · ‎09-14-2008