Defend against IOS vulnerability attacks to ensure vro Security

In a recent security alert, CiscoSystems warned that CiscoIOS is vulnerable to a malicious attack (refer to Cisco's warning about critical IOS vulnerabilities ). By exploiting this vulnerability, hackers can execute malicious code on Cisco devices or launch a DDOS attack (denial of service attack ). As at least 70% of the routers on the Internet are Cisco routers, this vulnerability is particularly noteworthy. What can you do to protect the basic structure of your router? This article will discuss this issue.

Which products are affected?

Only routers that have a Unified Communication Manager (CiscoUnifiedCommunicationsManager) and support voice services are affected. If your router meets either of these two conditions, you should take action. If you are not sure whether your router has a voice service (Session Initialization Protocol (SIP), check it.

Which IOS versions are affected?

Only some versions of IOS12.3 and all IOS12.4 are affected by this vulnerability, and it only happens when you activate the SIP protocol. To view the IOS version you are running, just type the showversion command.

How do I know if I have enabled the IOS Protocol?

Note that CiscoIOS is vulnerable to attacks even if the SIP protocol is not configured in particular. All you need is that the router is listening for SIP Communication.

Run the following three commands to check whether your router is listening for the SIP request:

The following is a reference snippet: showipsocketsshowudpshowtcpbriefall

Note: The "showipsockets" command may not run in a newer IOS version ." The showtcpbriefall command may not return any output. The following is an output example of my vro:

The following is a reference segment: Router # showipsockets ^ % Invalidinputdetectedat '^ marker. Router # showudpProtoRemotePortLocalPortInOutStatTTYOutputIF17-listen -- any-68001017-listen -- any-288700110170.0.0.00192.168.1.100670022110Router # showtcpbriefallRouter #

You are looking for any access path (listener) for the following protocols and port numbers: TCP5060, 5061,1720, 11720andUDP5060, 5061,2427, 2517,16384-32767

You can see from the output result of the author's router that the author does not have any such port. If you have such a channel (listener), your output will look like the following:

The following is a reference segment: Router # showipsocketsprotoremoteportlocalportinoutstatttyoutputif170.0.00-any-5060002110Router # showtcpbriefallTCBLocalAddressForeignAddress (state) 835F9624 *. 5060 *. * LISTEN

Note that the port number is 5060 in both cases.
How to protect the router from attacks?

The following describes three methods to protect vrouters from attacks:

1. check whether there is an IOS software upgrade program that fixes this vulnerability. At the time of writing this article, I have not patched the IOS version for use. Although upgrading your vro may be a pain point, it is a beneficial solution. However, if your vro is quite fragile, I suggest you do not wait for a new IOS version because your vro may be attacked during this period. If the SIP protocol is not required, Immediately disable the SIP service or mitigate the communication to ensure that only valid data communication can be sent or entered from the infected Cisco router.

2. If the SIP protocol (voice service) is not required on this device, you can disable it using the following command:

The following is a reference segment: Router (config) # sip-uaRouter (config-sip-ua) # notransportudpRouter (config-sip-ua) # notransporttcpRouter (config-sip-ua) # end

These commands disable the SIP protocol to protect you from this vulnerability.

3. finally, if your router requires the SIP protocol (voice service) and there is no IOS upgrade available, you should authorize only those valid communications to reach your infected CiscoIOS device, this reduces data communication. This is as simple as creating an access control list (ACL): In this ACL, we allow all SIP Communication from known SIP devices, disable SIP Communication from all other hosts.

Here is an example: ACL: Disable unknown SIP

IOS secure copy Vulnerability

In a separate statement, Cisco acknowledges that some IOS versions are vulnerable to a securecopy Vulnerability (SCP. To prevent your router from being attacked by this vulnerability, you should upgrade to the latest IOS version (which solves the SCP vulnerability), or use the following command to disable the secure replication service:

The following is a reference segment: Router (config) # noipscpserverenable

Summary

Generally, Cisco routers directly connected to the Internet do not process voice communication. Therefore, internal routers that process voice may be affected by this vulnerability. The most important thing is to decide which vrouters are affected. To protect yourself from this vulnerability, you can disable the SIP protocol that is not required by these devices. You can also filter the communication that reaches your vro to reduce the communication.

You can find more information about this IOS vulnerability from CiscoSystems, including the version numbers that are vulnerable to this vulnerability.