[Full-disclosure] Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability
jstarks440 at gmail.com
Wed Mar 4 18:56:07 GMT 2009
That is why the world should use Linksys.
On Wed, Mar 4, 2009 at 11:30 AM, Cisco Systems Product Security Incident
Response Team <psirt at cisco.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Cisco Security Advisory: Cisco 7600 Series Router Session Border
> Controller Denial of Service Vulnerability
> Document ID: 109483
> Advisory ID: cisco-sa-20090304-sbc
> Revision 1.0
> For Public Release 2009 March 4 1600 UTC (GMT)
> - ---------------------------------------------------------------------
> A denial of service (DoS) vulnerability exists in the Cisco Session
> Border Controller (SBC) for the Cisco 7600 series routers. Cisco has
> released free software updates that address this vulnerability.
> Workarounds that mitigate this vulnerability are available.
> This advisory is posted at
> Affected Products
> Vulnerable Products
> All Cisco ACE-based SBC modules running software versions prior to
> 3.0(2) are affected.
> To determine the version of the Cisco SBC software running on a
> system, log in to the device and issue the show version command to
> display the system banner.
> card_A/Admin# show version
> system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin
> <output truncated>
> Cisco SBC software version 3.0.1 is running in the device used in
> this example.
> Products Confirmed Not Vulnerable
> The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the
> Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco
> ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco
> ACE GSS (Global Site Selector) 4400 Series are not affected by this
> vulnerability. No other Cisco products are currently known to be
> affected by this vulnerability.
> The Session Border Controller (SBC) enables direct IP-to-IP
> interconnect between multiple administrative domains for
> session-based services providing protocol interworking, security, and
> admission control and management. The SBC is a multimedia device that
> sits on the border of a network and controls call admission to that
> network. A vulnerability exists in the Cisco SBC where an
> unauthenticated attacker may cause the Cisco SBC card to reload by
> sending crafted TCP packets over port 2000. Repeated exploitation
> could result in a sustained DoS condition.
> Note: Only the Cisco SBC module reloads after successful
> exploitation. The Cisco 7600 series router does not reload and it is
> not affected by this vulnerability.
> Note: TCP port 2000 is typically used by Skinny Call Control Protocol
> (SCCP) applications. However, the Cisco SBC module uses TCP port 2000
> for high availability (redundancy) communication, but does not use
> the SCCP for this purpose.
> This vulnerability is documented in Cisco Bug IDs CSCsq18958 (
> registered customers only) ; and has been assigned the Common
> Vulnerability and Exposures (CVE) IDs CVE-2009-0619.
> Vulnerability Scoring Details
> Cisco has provided scores for the vulnerability in this advisory
> based on the Common Vulnerability Scoring System (CVSS). The CVSS
> scoring in this Security Advisory is done in accordance with CVSS
> version 2.0.
> CVSS is a standards-based scoring method that conveys vulnerability
> severity and helps determine urgency and priority of response.
> Cisco has provided a base and temporal score. Customers can then
> compute environmental scores to assist in determining the impact of
> the vulnerability in individual networks.
> Cisco has provided an FAQ to answer additional questions regarding
> CVSS at
> Cisco has also provided a CVSS calculator to help compute the
> environmental impact for individual networks at
> CVSS Base Score - 7.8
> Access Vector - Network
> Access Complexity - Low
> Authentication - None
> Confidentiality Impact - None
> Integrity Impact - None
> Availability Impact - Complete
> CVSS Temporal Score - 6.4
> Exploitability - Functional
> Remediation Level - Official-Fix
> Report Confidence - Confirmed
> Successful exploitation of the vulnerability may cause a reload of
> the affected device. Repeated exploitation could result in a
> sustained DoS condition.
> Software Versions and Fixes
> This vulnerability has been corrected in Cisco SBC software release
> Cisco SBC software can be downloaded from:
> When considering software upgrades, also consult
> http://www.cisco.com/go/psirt and any subsequent advisories to
> determine exposure and a complete upgrade solution.
> In all cases, customers should exercise caution to be certain the
> devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center (TAC) or your contracted
> maintenance provider for assistance.
> As a workaround, configure an access control list (ACL) in the
> signaling / media VLAN on the Route Processor (RP). The following
> examples show how VLAN 140 is configured as the signaling / media
> VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
> (FT). An ACL is added to the signaling/media VLAN on the RP filtering
> all TCP port 2000 packets to the alias IP address.
> Cisco SBC configuration
> interface vlan 140
> ip address 10.140.1.90 255.255.255.0
> alias 10.140.1.100 255.255.255.0
> peer ip address 10.140.1.8 255.255.255.0
> ft interface vlan 77
> ip address 192.168.1.1 255.255.255.0
> peer ip address 192.168.1. 255.255.255.0
> RP Configuration
> !- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal
> access-list 100 deny tcp any host 10.140.1.100 eq 2000
> access-list 100 permit ip any any
> interface Vlan140
> ip address 10.140.1.1 255.255.255.0
> !- ACL is applied to the VLAN interface to egress traffic
> ip access-group 100 out
> The alias command under VLAN 140 is configured with an IP address
> that floats between active and standby modules when using high
> availability. Only TCP port 2000 traffic destined to this IP address
> may trigger this vulnerability. An access control list (ACL) is
> configured to deny TCP port 2000 destined to the alias IP address
> (10.140.1.100). The ACL is applied egress in the RP.
> Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP)
> applications; however, in this case it is used by the SBC for
> internal communications. The previous ACL only blocks TCP port 2000
> traffic to the alias IP address. TCP port 2000 is not used by the
> alias IP address. This ACL should not cause any collateral damage.
> Additional mitigations that can be deployed on Cisco devices within
> the network are available in the Cisco Applied Intelligence companion
> document for this Advisory:
> Obtaining Fixed Software
> Cisco has released free software updates that address this
> vulnerability. Prior to deploying software, customers should consult
> their maintenance provider or check the software for feature set
> compatibility and known issues specific to their environment.
> Customers may only install and expect support for the feature sets
> they have purchased. By installing, downloading, accessing or
> otherwise using such software upgrades, customers agree to be bound
> by the terms of Cisco's software license terms found at
> or as otherwise set forth at Cisco.com Downloads at
> Do not contact psirt at cisco.com or security-alert at cisco.com for
> software upgrades.
> Customers with Service Contracts
> Customers with contracts should obtain upgraded software through
> their regular update channels. For most customers, this means that
> upgrades should be obtained through the Software Center on Cisco's
> worldwide website at http://www.cisco.com.
> Customers using Third Party Support Organizations
> Customers whose Cisco products are provided or maintained through
> prior or existing agreements with third-party support organizations,
> such as Cisco Partners, authorized resellers, or service providers
> should contact that support organization for guidance and assistance
> with the appropriate course of action in regards to this advisory.
> The effectiveness of any workaround or fix is dependent on specific
> customer situations, such as product mix, network topology, traffic
> behavior, and organizational mission. Due to the variety of affected
> products and releases, customers should consult with their service
> provider or support organization to ensure any applied workaround or
> fix is the most appropriate for use in the intended network before it
> is deployed.
> Customers without Service Contracts
> Customers who purchase direct from Cisco but do not hold a Cisco
> service contract, and customers who purchase through third-party
> vendors but are unsuccessful in obtaining fixed software through
> their point of sale should acquire upgrades by contacting the Cisco
> Technical Assistance Center (TAC). TAC contacts are as follows.
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac at cisco.com
> Customers should have their product serial number available and be
> prepared to give the URL of this notice as evidence of entitlement to
> a free upgrade. Free upgrades for non-contract customers must be
> requested through the TAC.
> Refer to
> for additional TAC contact information, including localized telephone
> numbers, and instructions and e-mail addresses for use in various
> Exploitation and Public Announcements
> The Cisco PSIRT is not aware of any public announcements or malicious
> use of the vulnerability described in this advisory.
> This vulnerability was found during internal testing.
> Status of this Notice: FINAL
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
> KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
> DOCUMENT AT ANY TIME.
> A stand-alone copy or Paraphrase of the text of this document that
> omits the distribution URL in the following section is an
> uncontrolled copy, and may lack important information or contain
> factual errors.
> This advisory is posted on Cisco's worldwide website at :
> In addition to worldwide web posting, a text version of this notice
> is clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients.
> * cust-security-announce at cisco.com
> * first-bulletins at lists.first.org
> * bugtraq at securityfocus.com
> * vulnwatch at vulnwatch.org
> * cisco at spot.colorado.edu
> * cisco-nsp at puck.nether.net
> * full-disclosure at lists.grok.org.uk
> * comp.dcom.sys.cisco at newsgate.cisco.com
> Future updates of this advisory, if any, will be placed on Cisco's
> worldwide website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the above URL for any updates.
> Revision History
> | Revision | | Initial |
> | 1.0 | 2009-March-04 | public |
> | | | release |
> Cisco Security Procedures
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at
> This includes instructions for press inquiries regarding Cisco
> security notices. All Cisco security advisories are available at
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> -----END PGP SIGNATURE-----
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.