Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

paa
New Member

IOS SIP vulnerability

Hi! I find a very dangerous vulnerability in IOS. I have a 2811 with an E1 connection to ISP and a h323 connection to remote office. I find out, that my router gets many-many SIP INVITE messages and establishs connection from anywhere to anywhere throught my ISP! I don't use any SIP-phones or any SIP connection to ISP. So, I blocked incoming packets to my router on port 5060.

IOS c2800nm-advipservicesk9-mz.124-15.T4.bin

Why IOS don't block incoming SIP INVITE if I don't have any sip dial-peers and dont' have a config wth "allow connection from sip to"? It is like an open relay in e-mail terminalogy!!! If I want to use SIP, how can I protect my router?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: IOS SIP vulnerability

Hi sir,

We assume there is some security

configured at all. IOS firewall, ACL on outside interface, IDS, etc.

Once we have that, you can take a look at

some issue we have when SIP was running per default leading to a vulnerable system state.

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

CSCsb25337

CSCsh58082

Workarounds are also listed

I understand your concern with peer to peer protocols like H323 and SIP in which the gateway just becomes 'sitting duck' for exploit attempts.

HTH

2 REPLIES
Green

Re: IOS SIP vulnerability

Hi sir,

We assume there is some security

configured at all. IOS firewall, ACL on outside interface, IDS, etc.

Once we have that, you can take a look at

some issue we have when SIP was running per default leading to a vulnerable system state.

http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

CSCsb25337

CSCsh58082

Workarounds are also listed

I understand your concern with peer to peer protocols like H323 and SIP in which the gateway just becomes 'sitting duck' for exploit attempts.

HTH

paa
New Member

Re: IOS SIP vulnerability

Thanks for link! +5 points for you

248
Views
0
Helpful
2
Replies
CreatePlease to create content