Vulnerabilities > CVE-2009-2870 - Unspecified vulnerability in Cisco IOS

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

cisco

nessus

NVD

Published: 2009-09-28

Updated: 2009-10-01

Summary

Unspecified vulnerability in Cisco IOS 12.2 through 12.4, when the Cisco Unified Border Element feature is enabled, allows remote attackers to cause a denial of service (device reload) via crafted SIP messages, aka Bug ID CSCsx25880.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 12.3Yk Cisco IOS 12.3Ys Cisco IOS 12.3Yt Cisco IOS 12.4Gc Cisco IOS 12.4Mr Cisco IOS 12.4T Cisco IOS 12.4Xa Cisco IOS 12.4Xc Cisco IOS 12.4Xd Cisco IOS 12.4Xe Cisco IOS 12.4Xl Cisco IOS 12.4Xm Cisco IOS 12.4Xp Cisco IOS 12.4Xt Cisco IOS 12.4Xv Cisco IOS 12.4Xw Cisco IOS 12.4Xy Cisco IOS 12.4Xz Cisco IOS 12.4Ya	19

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20090923-SIPHTTP.NASL
description	A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability.
last seen	2019-10-28
modified	2010-09-01
plugin id	49046
published	2010-09-01
reporter	This script is (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/49046
title	Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (cisco-sa-20090923-sip)
code	#TRUSTED 21b2d23f55421de719a26d8bad97ea6882f5b083742d1eab936632e1a2e5905772e3b4a6ebf0db3eac6687e296f8b5f8e825bcc455386304ad8b3752c5c93eac2aefaa59ff719943b94735faa1bd12c672eb2d0fa8a9b9eed142ddbc140efc69c30164914e5d8d1e96bb5969cbf3668bbbd4236b65df8996daad04b472ade11c334a34fc41858951958ecbb3a194c661ffac3356e1b846b08f91196b731561106b3852f2faec6579b182124eea086d7db0157c3750ab39157c9837472ea82b7f7ff00dc06a4c7234075f626bf531369eff0601fbe9d1504602492c97da8a49c454fc374adb068bd4e2c43abb773c660e2d7f17788e8a53b0e31428341d63770c2b55c4b20ae819281aed0853629facd25813664fcd528074f6d94497405e524cef443905ef8b070815d6040140b631f603af9bbc19b4631947638ba2918fdf10e083b016394f6a9cc482e2b82c6422133c975f02c37364ba97b9fa28f6d067bcad071f9912282a691f00e588f210ba20236f2076ab132565d3c5c95eb800c71a373a1ea7ba2d657a88b422a9c1ba3b0bae6ee0788b4b6d2416aada4c08521627d9184460826acd1fabd4f670af51e2c39bbafd1db8a5fdd6e691adda098ab5cc3ab386e89cde671e989ad2c58b9df1791a9e4e7ebdfe674862670c54d0f5dab1c4088bd7d0ab113549087fdfac0379931dd6ca381f5462d154194c275a0af5ad # # (C) Tenable Network Security, Inc. # # Security advisory is (C) CISCO, Inc. # See https://www.cisco.com/en/US/products/products_security_advisory09186a0080af811b.shtml include("compat.inc"); if (description) { script_id(49046); script_version("1.21"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2009-2870"); script_bugtraq_id(36499); script_xref(name:"CISCO-BUG-ID", value:"CSCsx25880"); script_xref(name:"CISCO-SA", value:"cisco-sa-20090923-sip"); script_name(english:"Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (cisco-sa-20090923-sip)"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: 'A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. '); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?90901b88"); # https://www.cisco.com/en/US/products/products_security_advisory09186a0080af811b.shtml script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?aecf497e"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20090923-sip."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/23"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; override = 0; version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); if (version == '12.4(22)YB') flag++; else if (version == '12.4(20)YA3') flag++; else if (version == '12.4(20)YA2') flag++; else if (version == '12.4(20)YA1') flag++; else if (version == '12.4(20)YA') flag++; else if (version == '12.4(15)XZ2') flag++; else if (version == '12.4(15)XZ1') flag++; else if (version == '12.4(15)XZ') flag++; else if (version == '12.4(15)XY5') flag++; else if (version == '12.4(15)XY4') flag++; else if (version == '12.4(15)XY3') flag++; else if (version == '12.4(15)XY2') flag++; else if (version == '12.4(15)XY1') flag++; else if (version == '12.4(15)XY') flag++; else if (version == '12.4(11)XW9') flag++; else if (version == '12.4(11)XW8') flag++; else if (version == '12.4(11)XW7') flag++; else if (version == '12.4(11)XW6') flag++; else if (version == '12.4(11)XW5') flag++; else if (version == '12.4(11)XW4') flag++; else if (version == '12.4(11)XW3') flag++; else if (version == '12.4(11)XW2') flag++; else if (version == '12.4(11)XW10') flag++; else if (version == '12.4(11)XW1') flag++; else if (version == '12.4(11)XW') flag++; else if (version == '12.4(11)XV1') flag++; else if (version == '12.4(11)XV') flag++; else if (version == '12.4(6)XT2') flag++; else if (version == '12.4(6)XT1') flag++; else if (version == '12.4(6)XT') flag++; else if (version == '12.4(6)XP') flag++; else if (version == '12.4(15)XM2') flag++; else if (version == '12.4(15)XM1') flag++; else if (version == '12.4(15)XL4') flag++; else if (version == '12.4(15)XL3') flag++; else if (version == '12.4(15)XL2') flag++; else if (version == '12.4(15)XL1') flag++; else if (version == '12.4(15)XL') flag++; else if (version == '12.4(11)XJ4') flag++; else if (version == '12.4(11)XJ3') flag++; else if (version == '12.4(11)XJ2') flag++; else if (version == '12.4(11)XJ') flag++; else if (version == '12.4(6)XE3') flag++; else if (version == '12.4(6)XE2') flag++; else if (version == '12.4(6)XE1') flag++; else if (version == '12.4(6)XE') flag++; else if (version == '12.4(4)XD9') flag++; else if (version == '12.4(4)XD8') flag++; else if (version == '12.4(4)XD7') flag++; else if (version == '12.4(4)XD5') flag++; else if (version == '12.4(4)XD4') flag++; else if (version == '12.4(4)XD2') flag++; else if (version == '12.4(4)XD12') flag++; else if (version == '12.4(4)XD11') flag++; else if (version == '12.4(4)XD10') flag++; else if (version == '12.4(4)XD1') flag++; else if (version == '12.4(4)XD') flag++; else if (version == '12.4(4)XC7') flag++; else if (version == '12.4(4)XC6') flag++; else if (version == '12.4(4)XC5') flag++; else if (version == '12.4(4)XC4') flag++; else if (version == '12.4(4)XC3') flag++; else if (version == '12.4(4)XC2') flag++; else if (version == '12.4(4)XC1') flag++; else if (version == '12.4(4)XC') flag++; else if (version == '12.4(2)XB9') flag++; else if (version == '12.4(2)XB8') flag++; else if (version == '12.4(2)XB7') flag++; else if (version == '12.4(2)XB6') flag++; else if (version == '12.4(2)XB5') flag++; else if (version == '12.4(2)XB4') flag++; else if (version == '12.4(2)XB3') flag++; else if (version == '12.4(2)XB2') flag++; else if (version == '12.4(2)XB10') flag++; else if (version == '12.4(2)XB1') flag++; else if (version == '12.4(2)XB') flag++; else if (version == '12.4(2)XA2') flag++; else if (version == '12.4(2)XA1') flag++; else if (version == '12.4(2)XA') flag++; else if (version == '12.4(24)T') flag++; else if (version == '12.4(22)T1') flag++; else if (version == '12.4(22)T') flag++; else if (version == '12.4(20)T2') flag++; else if (version == '12.4(20)T1') flag++; else if (version == '12.4(20)T') flag++; else if (version == '12.4(15)T9') flag++; else if (version == '12.4(15)T8') flag++; else if (version == '12.4(15)T7') flag++; else if (version == '12.4(15)T6') flag++; else if (version == '12.4(15)T5') flag++; else if (version == '12.4(15)T4') flag++; else if (version == '12.4(15)T3') flag++; else if (version == '12.4(15)T2') flag++; else if (version == '12.4(15)T1') flag++; else if (version == '12.4(15)T') flag++; else if (version == '12.4(11)T4') flag++; else if (version == '12.4(11)T3') flag++; else if (version == '12.4(11)T2') flag++; else if (version == '12.4(11)T1') flag++; else if (version == '12.4(11)T') flag++; else if (version == '12.4(9)T7') flag++; else if (version == '12.4(9)T6') flag++; else if (version == '12.4(9)T5') flag++; else if (version == '12.4(9)T4') flag++; else if (version == '12.4(9)T3') flag++; else if (version == '12.4(9)T2') flag++; else if (version == '12.4(9)T1') flag++; else if (version == '12.4(9)T') flag++; else if (version == '12.4(6)T9') flag++; else if (version == '12.4(6)T8') flag++; else if (version == '12.4(6)T7') flag++; else if (version == '12.4(6)T6') flag++; else if (version == '12.4(6)T5') flag++; else if (version == '12.4(6)T4') flag++; else if (version == '12.4(6)T3') flag++; else if (version == '12.4(6)T2') flag++; else if (version == '12.4(6)T11') flag++; else if (version == '12.4(6)T10') flag++; else if (version == '12.4(6)T1') flag++; else if (version == '12.4(6)T') flag++; else if (version == '12.4(4)T8') flag++; else if (version == '12.4(4)T7') flag++; else if (version == '12.4(4)T6') flag++; else if (version == '12.4(4)T5') flag++; else if (version == '12.4(4)T4') flag++; else if (version == '12.4(4)T3') flag++; else if (version == '12.4(4)T2') flag++; else if (version == '12.4(4)T1') flag++; else if (version == '12.4(4)T') flag++; else if (version == '12.4(2)T6') flag++; else if (version == '12.4(2)T5') flag++; else if (version == '12.4(2)T4') flag++; else if (version == '12.4(2)T3') flag++; else if (version == '12.4(2)T2') flag++; else if (version == '12.4(2)T1') flag++; else if (version == '12.4(2)T') flag++; else if (version == '12.4(19)MR2') flag++; else if (version == '12.4(19)MR1') flag++; else if (version == '12.4(19)MR') flag++; else if (version == '12.4(16)MR2') flag++; else if (version == '12.4(16)MR1') flag++; else if (version == '12.4(16)MR') flag++; else if (version == '12.4(12)MR2') flag++; else if (version == '12.4(12)MR1') flag++; else if (version == '12.4(12)MR') flag++; else if (version == '12.4(11)MR') flag++; else if (version == '12.4(9)MR') flag++; else if (version == '12.4(6)MR1') flag++; else if (version == '12.4(6)MR') flag++; else if (version == '12.4(4)MR1') flag++; else if (version == '12.4(4)MR') flag++; else if (version == '12.4(2)MR1') flag++; else if (version == '12.4(2)MR') flag++; else if (version == '12.4(22)GC1') flag++; else if (version == '12.3(14)YT1') flag++; else if (version == '12.3(14)YT') flag++; else if (version == '12.3(11)YS2') flag++; else if (version == '12.3(11)YK2') flag++; else if (version == '12.3(11)YK1') flag++; else if (version == '12.3(11)YK') flag++; if (get_kb_item("Host/local_checks_enabled")) { if (flag) { flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_processes", "show processes"); if (check_cisco_result(buf)) { if (preg(pattern:"SIP", multiline:TRUE, string:buf)) { flag = 1; } } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } } if (flag) { security_hole(port:0, extra:cisco_caveat(override)); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 36499 CVE ID: CVE-2009-2870 Cisco IOS是思科网络设备所使用的互联网操作系统。如果设备运行的Cisco IOS镜像中包含有Cisco Unified Border Element功能，则Cisco IOS软件的SIP实现中存在拒绝服务漏洞。处理一系列特制的SIP消息会导致设备重载。 Cisco IOS 12.4 Cisco IOS 12.3 临时解决方法： * 禁用SIP监听端口 sip-ua no transport udp no transport tcp no transport tcp tls * 部署以下控制面整型（CoPP） !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5061 access-list 100 permit udp any any eq 5060 access-list 100 permit tcp any any eq 5060 access-list 100 permit tcp any any eq 5061 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. policy-map drop-sip-traffic class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. control-plane service-policy input drop-sip-traffic 厂商补丁： Cisco ----- Cisco已经为此发布了一个安全公告（cisco-sa-20090923-sip）以及相应补丁: cisco-sa-20090923-sip：Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability 链接：http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
id	SSV:12401
last seen	2017-11-19
modified	2009-09-28
published	2009-09-28
reporter	Root
title	Cisco IOS SIP消息拒绝服务漏洞

Summary

Vulnerable Configurations

Nessus

Seebug

References