Cisco vulnerabilities by product, model, software, and advisory.
Cisco Firewall Services Module, PIX and ASA SIP Message Denial of Service Vulnerability
Cisco-SA-20070214-CVE-2007-0961 · Medium · Published · Updated
Cisco Firewall Services Module, PIX Security Appliance, and ASA Security Appliance contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability exists due to an error when handling SIP messages. An unauthenticated, remote attacker could exploit this vulnerability by sending a malformed SIP message to an affected device. This action could cause the affected device to reload, resulting in a temporary DoS condition. Repeated attacks can result in a persistent DoS condition. Cisco has confirmed this vulnerability with a security advisory and released updated software. Successful exploitation allows the attacker to cause the affected device to reload, which could be considered a temporary DoS condition. Repeated attacks could result in a persistent denial of service condition. A system is only vulnerable if deep packet inspection of SIP messages is enabled. This is handled by the fixup command in FWSM 2.x and ASA/PIX 6.x, and is enabled for SIP packets by default in these versions. It is handled by the inspect command in both FWSM 3.x and ASA/PIX 7.x. The inspect command is enabled by default in FWSM 3.x, and disabled by default in ASA/PIX 7.x.
Administrators are advised to apply the appropriate patch.
Administrators are advised to restrict access to affected systems.
Administrators may consider disabling deep packet inspection of SIP messages. This may impact devices that are terminating SIP sessions, as some malicious packets that may otherwise have been detected may be allowed to pass through.
Administrators of 3.x FWSM systems or 7.x ASA/PIX devices are advised to disallow traffic from untrusted hosts. However, since SIP is a UDP-based protocol, IP source address spoofing could be used to bypass IP-based ACLs.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-air-20070214-firewall["http://www.cisco.com/en/US/products/products_security_response09186a00807e24b9.html"]