发布日期：2008-09-24
更新日期：2008-09-26

受影响系统：

Cisco IOS 12.4
Cisco IOS 12.3  
Cisco IOS 12.2
Cisco Unified CallManager 4.3
Cisco Unified CallManager 4.2
Cisco Unified CallManager 4.1
Cisco Unified Communications Manager 6.x
Cisco Unified Communications Manager 5.x

不受影响系统：

Cisco Unified CallManager 4.3(2)SR1a
Cisco Unified CallManager 4.2(3)SR4b
Cisco Unified CallManager 4.1.3SR8
Cisco Unified Communications Manager 6.1(2)SU1
Cisco Unified Communications Manager 5.1(3d)

描述：

---

BUGTRAQ  ID: 31361,31367
CVE(CAN) ID: CVE-2008-3799,CVE-2008-3800,CVE-2008-3801,CVE-2008-3802

Cisco IOS是思科网络设备上所使用的互联网操作系统。

Cisco IOS的SIP协议实现中的多个漏洞可能被远程利用触发内存泄露或导致IOS设备重载。运行受影响的Cisco IOS版本且处理SIP消息的Cisco设备受影响。这些漏洞的唯一要求就是Cisco IOS设备所配置的VoIP功能处理了SIP消息。最近的Cisco IOS版本默认不会处理SIP消息，但通过dial-peer voice命令创建拨号对等端会启动SIP进程并导致Cisco IOS开始处理SIP消息。

Cisco统一通讯管理器也受其中CVE-2008-3800和CVE-2008-3801漏洞的影响。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/31990/
        http://secunia.com/advisories/32013/
        http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
        http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
*>

建议：

---

临时解决方法：

* 禁用SIP监听端口

    sip-ua
     no transport udp
     no transport tcp

* 控制面整型（CoPP）

可将以下示例应用到网络：

    !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
    !-- Everything else is not trusted. The following access list is used
    !-- to determine what traffic needs to be dropped by a control plane
    !-- policy (the CoPP feature.) If the access list matches (permit)
    !-- then traffic will be dropped and if the access list does not
    !-- match (deny) then traffic will be processed by the router.

    access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
    access-list 100 deny udp host 172.16.1.1 any eq 5060
    access-list 100 deny tcp host 172.16.1.1 any eq 5060
    access-list 100 deny tcp host 172.16.1.1 any eq 5061
    access-list 100 permit udp any any eq 5060
    access-list 100 permit tcp any any eq 5060
    access-list 100 permit tcp any any eq 5061


    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
    !-- traffic in accordance with existing security policies and
    !-- configurations for traffic that is authorized to be sent
    !-- to infrastructure devices.



    !-- Create a Class-Map for traffic to be policed by
    !-- the CoPP feature.

    class-map match-all drop-sip-class
      match access-group 100


    !-- Create a Policy-Map that will be applied to the
    !-- Control-Plane of the device.

    policy-map drop-sip-traffic
     class drop-sip-class
      drop


    !-- Apply the Policy-Map to the Control-Plane of the
    !-- device.

    control-plane
     service-policy input drop-sip-traffic

厂商补丁：

Cisco
-----
Cisco已经为此发布了安全公告以及相应补丁:
cisco-sa-20080924-sip：Multiple Cisco IOS Session Initiation Protocol Denial of Service Vulnerabilities
链接：http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml

cisco-sa-20080924-cucm：Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities
链接：http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml

浏览次数：2643
严重程度：0（网友投票）