Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload. Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100324-sccp. Note: The March 24, 2010, Cisco IOS Software Security Advisory bundled publication includes seven Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on March 24, 2010, or earlier: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100324-bundle Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar10.html
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100324-sccp.
Note: The March 24, 2010, Cisco IOS Software Security Advisory bundled publication includes seven Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on March 24, 2010, or earlier:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100324-bundle
Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar10.html
This security advisory applies to all Cisco products that run Cisco IOS Software configured for Network Address Translation (NAT) and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS Software Release 12.4(6)T.
To verify if NAT is enabled on a Cisco IOS device, log into the device and issue the command show ip nat statistics. The following example shows a device configured with NAT:
Vulmon
Router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
type generic, total addresses 14, allocated 2 (14%), misses 0
You can also use the show running-config | include ip nat command to verify if NAT has been enabled on the device.
In NAT traditional configurations, the term "inside" refers to those networks that will be translated. Inside this domain, hosts will have addresses in one address space, while on the "outside", they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space. The ip nat inside and ip nat outside interface commands must be present on the corresponding router interfaces in order for NAT to be enabled.
The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either NAT inside or NAT outside. If the device is configured for NVI, you can use the show ip nat nvi statistics command in user EXEC or privileged EXEC mode, as shown in the following example.
Router# show ip nat nvi statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended) NAT Enabled interfaces:
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool pool1 refcount 1213 pool pool1: netmask 255.255.255.0
start 192.168.1.10 end 192.168.1.253
start 192.168.2.10 end 192.168.2.253
start 192.168.3.10 end 192.168.3.253
start 192.168.4.10 end 192.168.4.253
type generic, total addresses 976, allocated 222 (22%), misses 0
!---output truncated
In order to determine the software that is running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output.
router>show version
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 16-May-06 16:09 by kellythw
!---output truncated
Cisco IOS XR Software and IOS XE Software are not affected by this vulnerability.
Cisco IOS devices not explicitly configured for NAT are not vulnerable.
No other Cisco products are currently known to be affected by this vulnerability.
The Skinny Client Control Protocol (SCCP) enables voice communication between an SCCP client and a Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will also establish a TCP connection with a secondary CM, if available.
The NAT SCCP Fragmentation Support feature enables the Skinny Application Layer Gateway (ALG) to reassemble skinny control messages. Since this feature was introduced in Cisco IOS version 12.4(6)T, SCCP payloads requiring reassembly and NAT are no longer dropped.
A series of crafted SCCP packets may cause a Cisco IOS router that is running the NAT SCCP Fragmentation Support feature to reload.
This vulnerability is documented in Cisco Bug ID CSCsy09250 ( registered customers only) and has been assigned the CVE ID CVE-2010-0584.
As workaround, an administrator can disable SCCP NAT support using the no ip nat service skinny tcp port 2000 command, as shown in the following example:
Router(config)# no ip nat service skinny tcp port 2000
Note: If your Cisco CallManager is using a TCP port for skinny signaling different from the default port (2000), you need to adjust this command accordingly.
Caution: This workaround is only feasible on networks where SCCP traffic does
not need to be processed by NAT. Please confirm before implementing this
workaround.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Bundle First Fixed Release" column indicates the earliest possible releases which have fixes for all the published vulnerabilities in this Cisco IOS Security Advisory bundled publication. Cisco recommends upgrading to the latest available release where possible.
|
Major Release |
Availability of Repaired Releases |
|
|---|---|---|
|
Affected 12.0-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 12.0 based releases |
||
|
Affected 12.1-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 12.1 based releases |
||
|
Affected 12.2-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 12.2 based releases |
||
|
Affected 12.3-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 12.3 based releases |
||
|
Affected 12.4-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
Not Vulnerable |
12.4(25c) 15.0(1)M1 |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
12.4(10b)JDD1 |
|
|
Not Vulnerable |
Not Vulnerable |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Releases prior to 12.4(3g)JMA2 are vulnerable, release 12.4(3g)JMA2 and later are not vulnerable |
|
|
Not Vulnerable |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Not Vulnerable |
Vulnerable; first fixed in 12.4JA |
|
|
12.4(11)MD10 |
12.4(24)MD |
|
|
12.4(22)MDA2 |
12.4(22)MDA2 |
|
|
Releases up to and including 12.4(4)MR1 are not vulnerable. |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
12.4(20)T4 12.4(22)T3 12.4(15)T10 12.4(24)T2 |
12.4(15)T12 12.4(20)T5 12.4(24)T3; Available on 26-MAR-10 12.4(22)T4 |
|
|
Not Vulnerable |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Not Vulnerable |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Not Vulnerable |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
12.4(22)XR3 |
12.4(22)XR3 |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; migrate to any release in 15.0M or a fixed 12.4T release. |
Vulnerable; migrate to any release in 15.0M or a fixed 12.4 release. |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
12.4(22)YE2 |
12.4(22)YE2 12.4(24)YE |
|
|
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
Vulnerable; Contact your support organization per the instructions in Obtaining Fixed Software section of this advisory |
|
|
Affected 15.0-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 15.0 based releases |
||
|
Affected 15.1-Based Releases |
First Fixed Release for this Advisory |
First Fixed Release for all Advisories in 24 March 2010 Bundle Publication |
|
There are no affected 15.1 based releases |
||
|
IOS-XE Release |
First Fixed Release |
|---|---|
|
2.1.x |
Not Vulnerable |
|
2.2.x |
Not Vulnerable |
|
2.3.x |
Not Vulnerable |
|
2.4.x |
Not Vulnerable |
|
2.5.x |
Not Vulnerable |
|
2.6.x |
Not Vulnerable |
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during the resolution of customer service requests.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.0 |
2010-March-24 |
Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.