Monday, February 9, 2009

Securing Cisco routers against flaw attack (IOS 12.3 ,12.4)

To find out which version of IOS, you have on your Cisco Router, type the command below in privilege exec mode.

show version

Routers that have the Cisco Unified Communications Manager and voice services enabled can affected by flaw attack. If you are unsure whether your routers have voice services (the SIP protocol) enabled, you should check.

Execute following three commands to see if your router is listening for incoming SIP requests:

show ip sockets

show udp

show tcp brief all

You should look for inbound openings (listeners) for the following protocols and port numbers: TCP 5060, 5061, 1720, 11720 and UDP 5060, 5061, 2427, 2517, 16384 - 32767.

Notice the port number 5060 exists in both cases.

Protecting your Cisco routers from flaw attack.

1) Check to see whether there is an upgrade to the IOS software that contains the bug fix for this vulnerability. It may be hard to upgrade your routers, but this is a good solution. What you should do immediately is either disable the SIP service if it is not needed or perform traffic mitigation to ensure that only legitimate traffic can be sent to and from the affected Cisco routers.

Disable SIP protocol

Router(config)# sip-ua
Router(config-sip-ua)# no transport udp
Router(config-sip-ua)# no transport tcp
Router(config-sip-ua)# end

These commands would disable the SIP protocol and protect you from this vulnerability.
Lastly, if the SIP protocol is needed on your router and if there is no IOS upgrade available, you should go through traffic filtering by authorizing only valid traffic to your affected Cisco IOS devices by creating an access list (ACL) that permits all SIP traffic from known SIP devices on your LAN and denies SIP traffic from all other unknown hosts.

No comments:

Post a Comment

span.fullpost {display:inline;}