In a recent security alert, Cisco Systems warned that the Cisco IOS is vulnerable to a malicious attack (see Cisco warns of critical IOS flaws). By exploiting this vulnerability, a hacker could execute malicious code on the Cisco device or conduct a denial-of-service attack. As at least 70% of the routers on the Internet are Cisco routers, this vulnerability is of great concern. What can you do to protect your router infrastructure? Let's find out.
Which products are affected?
Only Cisco routers that have the Cisco Unified Communications Manager and voice services enabled. If your router fits either of these conditions, you should take action. If you are unsure whether your routers have voice services (the SIP protocol) enabled, you should check.
What specific versions of the IOS are affected?
Only certain versions of IOS 12.3 and all versions of 12.4 are affected by this vulnerability -- and only if you have the SIP protocol enabled. To find out what version of the IOS you are running, just type show version.
How do I know whether I have the SIP protocol enabled?
It is important to note that the Cisco IOS can be vulnerable to attack even if SIP has not been specifically configured. All it takes is that the router be listening for SIP traffic.
Perform the following three commands to see whether your router is listening for incoming SIP requests:
show ip sockets
show udp
show tcp brief all
Note: The "show ip sockets" command may not work on newer versions of the IOS. The "show tcp brief all" command may not return any output. Here is sample output from my router:
What you are looking for are any inbound openings (listeners) for the following protocols and port numbers: TCP 5060, 5061, 1720, 11720 and U
To continue reading for free, register below or login
To read more you must become a member of SearchNetworking.com
');
// -->

DP 5060, 5061, 2427, 2517, 16384 - 32767.
As you can see from my router output, I did not have any. Here is what it might look like if you did have an opening:
Notice the port number 5060 in both cases.
How to protect your Cisco routers from attack
Here are three ways to protect your routers from attack:
IOS secure copy vulnerability
In a separate announcement, Cisco said that certain versions of the IOS are vulnerable to a secure copy (SCP) vulnerability. To protect your routers from attack via this vulnerability, either upgrade to the latest IOS version (which resolves the SCP vulnerability issue) or disable the secure copy service with this command:
Router(config)# no ip scp server enable
Summary
Commonly, Cisco routers directly connected to the Internet are not processing voice traffic, so it is more likely that internal routers processing voice may be affected by this vulnerability. The most important thing is that you determine which routers are affected. To protect yourself from this vulnerability, you can either disable the SIP protocol where it is not needed, or you can perform traffic mitigation by filtering traffic arriving at your Cisco routers.
You can find more information on this IOS vulnerability, including the specific version numbers that are affected, from Cisco Systems.
About the author:
David Davis (CCIE #9369, CWNA, VCP, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. You can find his how-to articles and video course covering Windows, Cisco networking, and virtualization at his Web site, HappyRouter.com.