Secure Cisco routers against IOS flaw attack

Which products are affected?

Only Cisco routers that have the Cisco Unified Communications Manager and voice services enabled. If your router fits either of these conditions, you should take action. If you are unsure whether your routers have voice services (the SIP protocol) enabled, you should check.

What specific versions of the IOS are affected?

Only certain versions of IOS 12.3 and all versions of 12.4 are affected by this vulnerability -- and only if you have the SIP protocol enabled. To find out what version of the IOS you are running, just type show version.

How do I know whether I have the SIP protocol enabled?

It is important to note that the Cisco IOS can be vulnerable to attack even if SIP has not been specifically configured. All it takes is that the router be listening for SIP traffic.

Perform the following three commands to see whether your router is listening for incoming SIP requests:

show ip sockets

show udp

show tcp brief all

Note: The "show ip sockets" command may not work on newer versions of the IOS. The "show tcp brief all" command may not return any output. Here is sample output from my router:

What you are looking for are any inbound openings (listeners) for the following protocols and port numbers: TCP 5060, 5061, 1720, 11720 and U

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Routing and Switching How routers work Network summarization -- Supernetting and wildcard masks Routing: Five common, easily avoided errors Router Expert: Building a WLAN proxy server, implementing ASR Router Expert: Building a WLAN proxy server, implementing WPAD Cisco IOS IP routing -- dynamic routing Cisco IOS IP routing: Static routes Router Expert: Building a WLAN proxy server, DHCP services: Part 2 Router Expert: Building a WLAN proxy server, DHCP services: Part 1 DNS for a wireless network: Router Expert Network Security Best Practices and Products Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains How to evaluate and manage UTM for network security Profiling -- and protecting against -- network problem users: The Internet Novice How does a firewall work? Physical network security key to fighting low-tech threats Why are TCP/IP networks considered unsecured? Troubleshooting networks: Can vendor software self-install firewalls? Network Hardware Q&A: Nortel's data networking chief discusses the future Nortel routers and switches may go to buyer of telephony business 3Com hopes to win enterprise networking customers with global H3C push Extreme's port extender can replace consumer devices at network edge Cisco unveils Unified Computing, merging servers, storage and networks Network change and configuration management vendors see big changes Scalable network lifecycle management processes can reduce costs Physical network security key to fighting low-tech threats Cisco expands Nexus data center switch line with eye on virtualization HP ProCurve unveils data center network strategy Network Hardware Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

DP 5060, 5061, 2427, 2517, 16384 - 32767.

As you can see from my router output, I did not have any. Here is what it might look like if you did have an opening:

Notice the port number 5060 in both cases.

How to protect your Cisco routers from attack

Here are three ways to protect your routers from attack:

IOS secure copy vulnerability

In a separate announcement, Cisco said that certain versions of the IOS are vulnerable to a secure copy (SCP) vulnerability. To protect your routers from attack via this vulnerability, either upgrade to the latest IOS version (which resolves the SCP vulnerability issue) or disable the secure copy service with this command:

Router(config)# no ip scp server enable

Summary

Commonly, Cisco routers directly connected to the Internet are not processing voice traffic, so it is more likely that internal routers processing voice may be affected by this vulnerability. The most important thing is that you determine which routers are affected. To protect yourself from this vulnerability, you can either disable the SIP protocol where it is not needed, or you can perform traffic mitigation by filtering traffic arriving at your Cisco routers.

You can find more information on this IOS vulnerability, including the specific version numbers that are affected, from Cisco Systems.

About the author:
David Davis (CCIE #9369, CWNA, VCP, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. You can find his how-to articles and video course covering Windows, Cisco networking, and virtualization at his Web site, HappyRouter.com.