Wednesday, January 31, 2007

Stop me if you heard this one...So A priest, A rabbi, and Cisco IOS walk into a bar…

Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to Port 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. There are no reports of this vulnerability on the devices which are properly configured for SIP processing. Workarounds exist to mitigate the effects of this problem.

No really, I can’t buy humor like this. Since my day job is analyzing security problems let me give you readers my professional opinion on this one. In order for Cisco to release an advisory for a “yet to be determined condition” that must mean a very large or several large customers would have to be complaining because their infrastructure is getting hit with this.

Why build a 100,000 botnet army when you can DoS a site with a few packets?

So this might actually be Cisco 0day in the wild! Or it could just be a badly configured SIP client that doesn’t respect the RFC very well that is accidentally bringing down companies. Since the Cisco VoIP solution does not use SIP, it uses SCCP I wonder how many Cisco VoIP solutions are vulnerable to something like this. Of course I am just speculating until I find the problem (and trust me I am looking heavily right now) but its very unusual for Cisco to release an advisory for a problem they can’t pin down yet and since they don’t share security information there isn’t much else that can be done beside run a SIP fuzzer. BTW although they say it later in the post a reload is a spin kind of way of saying this will lead to a denial-of-service attack. Ordinarily DoSes are lame, unless they can stop an entire infrastructure from working, then they become cool.

Errata Security is currently researching this new threat and will alert customers as soon as we have it pinned down.

So let me restate something that seems to be a weekly thing: Diversity is a great way to ensure either a malicious kid or just plain bad software doesn’t bring down your network.

UPDATE: If you are a Cisco customer, ask them why they don't share security information with security vendors. If they try the national security line please roll your eyes.

No comments: