In a recent security alert, Cisco Systems warned that Cisco IOS is vulnerable to a malicious attack (refer to Cisco's warning about critical IOS vulnerabilities ). By exploiting this vulnerability, hackers can execute malicious code on Cisco devices or launch a DDOS attack (denial of service attack ). As at least 70% of the routers on the Internet are Cisco routers, this vulnerability is particularly noteworthy. What can you do to protect the basic structure of your router? This article will discuss this issue.
Which products are affected?
Only routers that have a Unified Communication Manager (Cisco Unified Communications Manager) and support voice services are affected. If your router meets either of these two conditions, you should take action. If you are not sure whether your router has a voice service (Session Initialization Protocol (SIP), check it.
Which IOS versions are affected?
Only versions of IOS 12.3 and all IOS 12.4 are affected by this vulnerability. This vulnerability occurs only when you activate the SIP protocol. To view the IOS version you are running, type the show version command.
How do I know if I have enabled the IOS Protocol?
Note that the following is important: Cisco IOS is vulnerable even if the SIP protocol is not configured in particular. All you need is that the router is listening for SIP Communication.
Run the following three commands to check whether your router is listening for the SIP request:
The following is a reference clip: show ip sockets show udp show tcp brief all |
Note: The "show ip sockets" command may not run in a newer IOS version. The "show tcp brief all" command may not return any output. The following is an output example of my vro:
The following is a reference clip: Router# show ip sockets ^ % Invalid input detected at '^' marker. Router# show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- --any-- 68 0 0 1 0 17 --listen-- --any-- 2887 0 0 11 0 17 0.0.0.0 0 192.168.1.100 67 0 0 2211 0 Router# show tcp brief all Router# |
You are looking for any access path (listener) for the following protocols and port numbers: TCP 5060,506 1, 1720,117 20 and UDP 5060,506 1, 2427,251 7, 16384-32767
You can see from the output result of the author's router that the author does not have any such port. If you have such a channel (listener), your output will look like the following:
The following is a reference clip: Router# show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 --any-- 5060 0 0 211 0 Router# show tcp brief all TCB Local Address Foreign Address (state) 835F9624 *.5060 *.* LISTEN |
Note that the port number is 5060 in both cases.