Available Languages

Updated:December 10, 2011

Document ID:1454182365110100

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Critical

Advisory ID:

cisco-sa-20070808-IOS-voice

First Published:

2007 August 8 16:00 GMT

Version 2.0:

Final

Workarounds:

See below

Cisco Bug IDs:

CSCeb21064

CSCsb24007

CSCsc60249

More...

CVE-2007-4291

CVE-2007-4292

CVE-2007-4294

More...

CWE-399

CWE-94

CVSS Score:

Base 10.0, Temporal 8.3

CVE-2007-4291

CVE-2007-4292

CVE-2007-4294

More...

CWE-399

CWE-94

Summary

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
- Session Initiation Protocol (SIP)
- Media Gateway Control Protocol (MGCP)
- Signaling protocols H.323, H.254
- Real-time Transport Protocol (RTP)
- Facsimile reception
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice.

Note: The August 08, 2007 publication includes four Security Advisories and one Security Response. The advisories all affect IOS, one additionally affects Cisco Unified Communications Manager as well. Each advisory lists the releases that correct the vulnerability described in the advisory, and the advisories also detail the releases that correct the vulnerabilities in all four advisories. Individual publication links are listed below:
- Cisco IOS Information Leakage Using IPv6 Routing Header
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-IPv6-leak
- Cisco IOS Next Hop Resolution Protocol Vulnerability
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-nhrp
- Cisco IOS Secure Copy Authorization Bypass Vulnerability
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-scp
- Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice
- Cisco Unified MeetingPlace XSS Vulnerability
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp

Affected Products

These vulnerabilities only affect devices running Cisco IOS that have voice services enabled. The only exception is the vulnerability documented as Cisco bug ID CSCsi80102 ( registered customers only) , which also exists on Cisco Unified Communications Manager.
Vulnerable Products
To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.

The following example shows output from a device running an IOS image:

Router>show version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan

Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html.

SIP-related vulnerabilities

Any Cisco device that runs a vulnerable version of IOS and supports SIP processing could be vulnerable. This includes multiple IOS versions of 12.2, 12.3 and 12.4. Routers that are configured as SIP Public Switched Telephone Network (PSTN) Gateways and SIP Session Border Controllers (SBCs) are vulnerable. The CAT6000-CMM card is also vulnerable.

To determine if the device has SIP enabled, enter the commands show ip sockets and show tcp brief all. In some newer IOS releases the command show ip sockets is removed. If that is the case use show udp. The output is identical to the show ip sockets command.

Router#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 --any-- 5060 0 0 211 0 17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0 17 0.0.0.0 0 192.168.100.2 2517 0 0 11 0

The first line with UDP Port 5060 shows that UDP SIP is enabled.

Router#show tcp brief all TCB Local Address Foreign Address (state) 2051E680 *.5060 *.* LISTEN

The above lines with *.5060 show that TCP SIP is enabled.

The device is vulnerable even if it does not have SIP explicitly configured. If the output of the show ip sockets command is showing that the device is listening to port 5060, then the device is vulnerable.

MGCP-related vulnerabilities

To determine whether MGCP is configured on an IOS device, look for either of the following lines in in the Cisco IOS configuration:

Router#show running config .... voice-port 1/1/1 ! mgcp ! dial-peer voice 1 pots service mgcpapp port 1/1/1

or

Router#show running config .... controller T1 1/1 framing sf linecode ami pri-group timeslots 1-24 service mgcp

or

Router#show running config .... controller T1 1/1 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp

The exact port numbers may vary in the configuration.

H.323 signaling-related vulnerabilities

To determine whether H.323 is configured on an IOS device, look for either of the following lines in the Cisco IOS configuration.

For Cisco bug ID CSCsi60004 ( registered customers only) this configuration is vulnerable:

Router#show running config | include proxy proxy h323

For Cisco bug ID CSCsg70474 ( registered customers only) this configuration is vulnerable:

Router#show running config | include inspect ip inspect name H323_protocol h323 ip inspect H323_protocol in

Real-time Transport Protocol-related vulnerabilities

No particular configuration is required to enable RTP because this protocol is invoked when audio or video information is transmitted. H.323, MGCP, SIP, or H.320 protocols must be processing packets for a router to process RTP packets.

Note: These vulnerabilities only affect sessions terminating or originating on a device itself, not transit traffic; for example, traffic that passes through a device, but is destined elsewhere is not affected.

Facsimile reception vulnerability

The IOS device will listen to incoming facsimile transmission by default if the Digital Signal Processor (DSP) is present. To determine the presence of DSP on a device, execute the following command:

Note: This vulnerability only affects sessions terminating or originating on a device itself, not transit traffic; for example, traffic that passes through a device, but is destined elsewhere is not affected.

Router#show voice dsp DSP DSP DSPWARE CURR BOOT PAK TX/RX TYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABORT PACK COUNT ==== === == ======== ======= ===== ======= === == ========= == ===== ============ C542 001 01 None 7.4.1 IDLE idle 0 0 1/1/0 NA 0 598/607 C542 002 01 None 7.4.1 IDLE idle 0 0 1/1/1 NA 0 591/588

The above example shows that DSP is present on the device.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities. The following devices are known not to be affected:

Cisco Unified Communications Manager (with the exception of CSCsi80102 (registered customers only) )

Cisco IP Phone

Details

Details for vulnerabilities are grouped by category and impact.

SIP-related vulnerabilities

SIP is a protocol that is used to establish, modify, and terminate multimedia sessions. Most commonly, SIP is used for Internet telephony. SIP call signaling can use UDP (User Datagram Protocol) or TCP (Transport Control Protocol) as an underlying transport protocol. In all cases vulnerabilities can be triggered by processing a malformed SIP packet.

A malformed SIP packet may cause a vulnerable device to crash and may allow arbitrary code to be executed. These vulnerabilities are documented as the following Cisco Bug IDs:
- CSCsi80749 Crash while processing malformed SIP packet (registered customers only)
- CSCsi80102 CUCM - Crash while processing malformed SIP packet (registered customers only)
A malformed SIP packet may cause a memory leak and device crash. These vulnerabilities are documented as the following Cisco Bug IDs:
- CSCsf11855 Crash while processing malformed SIP packet (registered customers only)
- CSCeb21064 Crash while processing malformed SIP packet (registered customers only)
- CSCse40276 Router crashed by malformed SIP message (registered customers only)
- CSCse68355 Router crashed by malformed SIP packet (registered customers only)
- CSCsf30058 Memory leak when processing malformed SIP message (registered customers only)
- CSCsb24007 Memory corruption and unexpected reload on receiving a SIP packet (registered customers only)
- CSCsc60249 Crash while processing malformed SIP packet (registered customers only)
MGCP-related vulnerabilities

MGCP is a protocol for controlling media gateways from external call control elements such as Media Gateway Controllers or Call Agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. In a Cisco environment, a media gateway is used between the Cisco Communications Manager and the Cisco router and servers as a voice gateway.

A specially crafted MGCP packet can cause a vulnerable device to crash or become unresponsive. The unresponsive device will not be able to establish new telephone calls, and a reboot is required to restore normal operation. These vulnerabilities are documented as the following Cisco Bug IDs:
- CSCsf08998 MGCP stop responding after receiving malformed packet (registered customers only)
- CSCsd81407 Router crash on receiving abnormal MGCP messages (registered customers only)
H.323-signaling related vulnerabilities

H.323 is an ITU (International Telecommunications Union) set of recommendations for multimedia communication and signaling in networks that use Internet Protocol.

A malformed H.323 packet can crash a vulnerable device. These vulnerabilities are documented as the following Cisco Bug IDs:
- CSCsi60004 H323 Proxy Unregistration from Gatekeeper (registered customers only)
- CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets received (registered customers only)
Real-time Transport Protocol-related vulnerabilities

RTP is a protocol that is designed to provide delivery services for data with real-time characteristics, such as interactive audio and video.

A malformed RTP packet can cause a vulnerable device to crash. These vulnerabilities are documented as the following Cisco Bug IDs:
- CSCse68138 Issue in handling specific packets in VOIP RTP Lib (registered customers only)
- CSCse05642 I/O memory corruption crash on a router (registered customers only)
Facsimile reception vulnerability

Reception of a large packet can cause a vulnerable device to crash. This vulnerability is documented as the following Cisco Bug ID:
- CSCej20505 Router hangs with overly large packet (registered customers only)

Workarounds

None of the listed vulnerabilities have workarounds. Users are advised to apply mitigation techniques to limit exposure to the listed vulnerabilities. Mitigation consists of only allowing legitimate devices to connect to the routers. To increase effectiveness, the mitigation must be coupled with the application of anti-spoofing measures on the network edge. This action is required because all vulnerable voice protocols can use UDP as transport protocol.

None of the listed vulnerabilities can be mitigated on Cisco Unified Communications Manager. All mitigations must be done on adjacent devices.

Users are advised to disable affected protocols if not required for normal device operation. To prevent the router from processing SIP packets, the user must execute the following commands:

Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
Router(config-sip-ua)#end

Note: When applying this workaround to devices that are processing MGCP or H.323 calls, the device will not allow SIP processing to stop while active calls are being processed. As a result, the workaround should be implemented during a maintenance period when active calls can be stopped.

Infrastructure Access Control Lists (iACL)

Although difficult to block traffic from transiting the network, it is possible to identify traffic that should not target infrastructure devices and block such traffic at the network border. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access list that will protect all devices with IP addresses located within the infrastructure IP address range.

A sample access list for devices running Cisco IOS is below:


!-- Permit SIP, MGCP, H.323 and RTP services from trusted hosts destined 
!-- to infrastructure addresses.

access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK 
   eq 5060
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK 
   eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 5060
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 2427
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 1720
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 11720
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   eq 2517
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   range 16384 32767

!-- Deny SIP, MGCP, H.323 and RTP packets from all other sources destined
!-- to infrastructure addresses.

access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5060 
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5061 
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5060 
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5061 
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2427 
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 1720 
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 11720 
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2517
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK
   range 16384 32767  

!-- Permit all other traffic to transit the device.

access-list 150 permit ip any any
interface serial 2/0
 ip access-group 150 in

The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained at the following link: http://www.cisco.com/warp/public/707/iacl.html.

Control Plane Policing

Control Plane Policing (CoPP) can be used to block untrusted SIP (TCP and UDP ports 5060 and 5061), MGCP (UDP port 2427), H.323 (TCP ports 1720 and 11720 and UDP port 2517), and RTP (UDP ports 16384 to 32767) access to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks. CoPP protects the management and control planes by explicitly permitting only authorized traffic sent to infrastructure devices and in accordance with existing security policies and configurations. The following example, which uses 192.168.100.1 to represent a trusted host, can be adapted to the network:


!-- Deny SIP, MGCP, H.323 and RTP traffic from trusted hosts to all
!-- IP addresses configured on all interfaces of the affected device 
!-- so that it will be allowed by the CoPP feature.

access-list 111 deny tcp host 192.168.100.1 any eq 5060
access-list 111 deny tcp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 5060
access-list 111 deny udp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 2427
access-list 111 deny tcp host 192.168.100.1 any eq 1720
access-list 111 deny tcp host 192.168.100.1 any eq 11720
access-list 111 deny udp host 192.168.100.1 any eq 2517
access-list 111 deny udp host 192.168.100.1 any range 16384 32767

!-- Permit all other SIP, MGCP, H.323 and RTP traffic sent to all 
!-- IP addresses configured on all interfaces of the affected device 
!-- so that it will be policed and dropped by the CoPP feature.

access-list 111 permit tcp any any eq 5060
access-list 111 permit tcp any any eq 5061
access-list 111 permit udp any any eq 5060
access-list 111 permit udp any any eq 5061
access-list 111 permit udp any any eq 2427
access-list 111 permit tcp any any eq 1720
access-list 111 permit tcp any any eq 11720
access-list 111 permit udp any any eq 2517
access-list 111 permit udp any any range 16384 32767

!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.

!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.

class-map match-all drop-voice-class
  match access-group 111

!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.

policy-map drop-voice-traffic
  class drop-voice-class
	drop

!-- Apply the Policy-Map to the Control-Plane of the
!-- device.

control-plane
  service-policy input drop-voice-traffic

In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in the exploit packets being discarded by the policy-map "drop" function. Meanwhile, packets that match the "deny" action (not shown) are not affected by the policy-map drop function.

Please note that in the 12.2S and 12.0S Cisco IOS trains the policy-map syntax is different:

policy-map drop-voice-traffic
 class drop-voice-class
  police 32000 1500 1500 conform-action drop exceed-action drop

Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070808-IOS-voice

Fixed Software

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

For further information about how Cisco IOS is built, numbered and maintained, please see the following URL: http://www.cisco.com/web/about/security/intelligence/ios-ref.html

Major Release	Availability of Repaired Releases
Affected 12.0-Based Release	First Fixed Release	Recommended Release
12.0	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0DA	Not Vulnerable
12.0DB	Not Vulnerable
12.0DC	Not Vulnerable
12.0S	Not Vulnerable
12.0SC	Not Vulnerable
12.0SL	Not Vulnerable
12.0SP	Not Vulnerable
12.0ST	Not Vulnerable
12.0SX	Not Vulnerable
12.0SY	Not Vulnerable
12.0SZ	Not Vulnerable
12.0T	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0W	Not Vulnerable
12.0WC	12.0(5)WC16
12.0WT	Not Vulnerable
12.0XA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XB	Not Vulnerable
12.0XC	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XD	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XE	Vulnerable; first fixed in 12.1(27b)E2
12.0XF	Vulnerable; contact TAC
12.0XG	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XH	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XI	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XJ	Not Vulnerable
12.0XK	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XL	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XM	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XN	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XQ	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XR	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XS	Not Vulnerable
12.0XV	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XW	Not Vulnerable
Affected 12.1-Based Release	First Fixed Release	Recommended Release
12.1	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1AA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1AX	Not Vulnerable
12.1AY	Not Vulnerable
12.1AZ	Not Vulnerable
12.1CX	Not Vulnerable
12.1DA	Not Vulnerable
12.1DB	Not Vulnerable
12.1DC	Not Vulnerable
12.1E	12.1(27b)E2
12.1EA	12.1(22)EA10	12.1(22)EA10a 12.1(22)EA10b; available 13-Sept-07
12.1EB	Not Vulnerable
12.1EC	Vulnerable; first fixed in 12.2(4)BC1	12.3(17b)BC8 12.3(21a)BC3
12.1EO	Not Vulnerable
12.1EU	Not Vulnerable
12.1EV	Not Vulnerable
12.1EW	Not Vulnerable
12.1EX	Vulnerable; first fixed in 12.1(27b)E2
12.1EY	Vulnerable; first fixed in 12.1(27b)E2
12.1EZ	Vulnerable; first fixed in 12.1(27b)E2
12.1GA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1GB	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1T	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XB	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XC	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XD	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XE	Vulnerable; first fixed in 12.1(27b)E2
12.1XF	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XG	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XH	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XI	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XJ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XK	Not Vulnerable
12.1XL	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XM	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XN	Not Vulnerable
12.1XO	Not Vulnerable
12.1XP	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XQ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XR	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XS	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XT	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XU	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XV	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XW	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XX	Not Vulnerable
12.1XY	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XZ	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1YA	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YB	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YC	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YD	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YE	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YF	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YG	Not Vulnerable
12.1YH	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YI	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YJ	Not Vulnerable
Affected 12.2-Based Release	First Fixed Release	Recommended Release
12.2	12.2(26c); available 14-Aug-07 12.2(27c); available 14-Aug-07 12.2(28d); available 14-Aug-07 12.2(29b); available 14-Aug-07 12.2(46a); available 15-Aug-07	12.2(46a)
12.2B	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2BC	Not Vulnerable
12.2BW	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2BY	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2BZ	Not Vulnerable
12.2CX	Not Vulnerable
12.2CY	Not Vulnerable
12.2CZ	Vulnerable; contact TAC
12.2DA	Not Vulnerable
12.2DD	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2DX	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2EU	Not Vulnerable
12.2EW	Not Vulnerable
12.2EWA	Not Vulnerable
12.2EX	Not Vulnerable
12.2EY	Not Vulnerable
12.2EZ	Not Vulnerable
12.2FX	Not Vulnerable
12.2FY	Not Vulnerable
12.2FZ	Not Vulnerable
12.2IXA	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXB	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXC	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXD	12.2(18)IXD1	12.2(18)IXD1
12.2IXE	Not Vulnerable
12.2JA	Not Vulnerable
12.2JK	Not Vulnerable
12.2MB	Not Vulnerable
12.2MC	12.2(15)MC1 12.2(15)MC2a 12.2(15)MC2i 12.2(8)MC1 12.2(8)MC2	12.2(15)MC2j
12.2S	12.2(14)S19 12.2(18)S13 12.2(20)S13 12.2(25)S13 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2SB	12.2(28)SB1 12.2(31)SB6	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2SBC	Vulnerable; first fixed in 12.2(28)SB1	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2SE	Not Vulnerable
12.2SEA	Not Vulnerable
12.2SEB	Not Vulnerable
12.2SEC	Not Vulnerable
12.2SED	Not Vulnerable
12.2SEE	Not Vulnerable
12.2SEF	Not Vulnerable
12.2SEG	Not Vulnerable
12.2SG	Not Vulnerable
12.2SGA	Not Vulnerable
12.2SL	Not Vulnerable
12.2SM	Not Vulnerable
12.2SO	Not Vulnerable
12.2SRA	12.2(33)SRA5	12.2(33)SRA5
12.2SRB	12.2(33)SRB2; available 31-Aug-07	12.2(33)SRB2; available 31-Aug-07
12.2SU	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2SV	12.2(22)SV 12.2(23)SV 12.2(24)SV 12.2(25)SV 12.2(27)SV2 12.2(27)SV3 12.2(28)SV1 12.2(29)SV 12.2(29a)SV	12.2(29)SV4; available 14-Oct-07
12.2SVA	Not Vulnerable
12.2SVC	Vulnerable; contact TAC
12.2SW	12.2(20)SW 12.2(21)SW 12.2(21)SW1 12.2(25)SW10 12.2(25)SW11	12.2(25)SW11
12.2SX	Vulnerable; first fixed in 12.2(18)SXF10
12.2SXA	Vulnerable; first fixed in 12.2(18)SXF10
12.2SXB	Vulnerable; first fixed in 12.2(18)SXF10	12.2(18)SXF10
12.2SXD	Vulnerable; contact TAC
12.2SXE	Vulnerable; first fixed in 12.2(18)SXF10	12.2(18)SXF10
12.2SXF	12.2(18)SXF10	12.2(18)SXF10
12.2SXH	Not Vulnerable
12.2SY	Not Vulnerable
12.2SZ	Vulnerable; first fixed in 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2T	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2TPC	12.2(8)TPC10c; available 17-Aug-07	12.2(8)TPC10c
12.2UZ	Not Vulnerable
12.2VZ	Vulnerable; first fixed in 12.2(31)SB6	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2XA	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XB	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XC	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2XD	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XE	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XF	Not Vulnerable
12.2XG	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XH	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XI	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XJ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XK	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XL	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XM	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XN	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XQ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XR	Not Vulnerable
12.2XS	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XT	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XU	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XV	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XW	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YA	12.2(4)YA12; available 17-Aug-07	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YB	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YC	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YD	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YE	Vulnerable; first fixed in 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2YF	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YG	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YH	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YJ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YK	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YL	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YM	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YN	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YO	Not Vulnerable
12.2YP	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YQ	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YR	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YS	Vulnerable; contact TAC	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YT	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2YU	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YV	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YW	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YX	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YY	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2YZ	Vulnerable; first fixed in 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2ZA	Not Vulnerable
12.2ZB	12.2(8)ZB	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2ZC	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2ZD	Vulnerable; contact TAC
12.2ZE	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2ZF	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2ZG	Vulnerable; contact TAC	12.3(2)XA6 12.3(8)YG6; available 16-Aug-07
12.2ZH	12.2(13)ZH9; available 17-Aug-07	12.2(13)ZH9
12.2ZJ	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2ZL	Vulnerable, first fixed in 12.3(11)T12, available 16-Aug-07 for the Cisco 17xx; first fixed in 12.4(16) for the Cisco 3200; first fixed in 12.3(7)XR7, available 13-Aug-07 for the ICS7750
12.2ZP	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2ZR	Vulnerable; contact TAC
12.2ZU	Vulnerable; first fixed in 12.2(33)SXH; available 31-Aug-07	12.2(33)SXH; available 31-Aug-07
12.2ZW	Vulnerable; contact TAC
12.2ZY	12.2(18)ZY1	12.2(18)ZY2; available 14-Sep-07
Affected 12.3-Based Release	First Fixed Release	Recommended Release
12.3	12.3(17c); available 16-Aug-07 12.3(18a); available 16-Aug-07 12.3(19a); available 16-Aug-07 12.3(20a) 12.3(21b) 12.3(22a) 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.3B	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3BC	Not Vulnerable
12.3BW	Not Vulnerable
12.3EU	Not Vulnerable
12.3JA	Not Vulnerable
12.3JEA	Not Vulnerable
12.3JEB	Not Vulnerable
12.3JK	Not Vulnerable
12.3JL	Not Vulnerable
12.3JX	Not Vulnerable
12.3T	Limited platform support is available 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3TPC	12.3(4)TPC11b; available 17-Aug-07	12.3(4)TPC11b; available 17-Aug-07
12.3VA	Not Vulnerable
12.3XA	12.3(2)XA6	12.3(2)XA6
12.3XB	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XC	12.3(2)XC5	12.3(2)XC5
12.3XD	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XE	12.3(2)XE5; available 17-Aug-07	12.3(2)XE5
12.3XF	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XG	Vulnerable; contact TAC	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XH	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XI	12.3(7)XI1b 12.3(7)XI8a 12.3(7)XI2a	12.3(7)XI10a; available 21-Aug-07
12.3XJ	Vulnerable; first fixed in 12.3(14)YX9; available 13-Aug-07	12.3(14)YX9; available 13-Aug-07
12.3XK	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XQ	Vulnerable; first fixed in 12.4(16)	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XR	12.3(7)XR7; available 17-Aug-07	12.3(7)XR7; available 17-Aug-07
12.3XS	Vulnerable; first fixed in 12.4(16)	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.3XU	12.3(8)XU	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3XW	Vulnerable; first fixed in 12.3(14)YX9; available 13-Aug-07	12.3(14)YX9; available 13-Aug-07
12.3XY	Vulnerable; contact TAC	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YA	Vulnerable; first fixed in 12.4(16)	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d) 12.3(8)YG6; available 16-Aug-07
12.3YD	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YF	Vulnerable; first fixed in 12.3(14)YX9; available 13-Aug-07	12.3(14)YX9; available 13-Aug-07
12.3YG	12.3(8)YG6; available 16-Aug-07	12.3(8)YG6; available 16-Aug-07
12.3YH	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YI	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YJ	Not Vulnerable
12.3YK	12.3(11)YK3; available 20-Aug-07	12.3(11)YK3; available 20-Aug-07
12.3YM	12.3(14)YM11; available 23-Aug-07	12.3(14)YM11; available 23-Aug-07
12.3YQ	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YS	Vulnerable; first fixed in 12.4(11)T3	12.3(11)YS2
12.3YT	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.3YU	Vulnerable; first fixed in 12.4(2)XB6; available 16-Aug-07	12.4(2)XB6; available 16-Aug-07
12.3YX	12.3(14)YX9; available 13-Aug-07	12.3(14)YX9; available 13-Aug-07
12.3YZ	12.3(11)YZ2; available 17-Aug-07	12.3(11)YZ2; available 17-Aug-07
Affected 12.4-Based Release	First Fixed Release	Recommended Release
12.4	12.4(10c); available 20-Aug-07 12.4(12c) 12.4(13d) 12.4(16) 12.4(3h); available 20-Aug-07 12.4(5c); available 15-Aug-07 12.4(7f) 12.4(8d); available 3-Sep-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.4JA	Not Vulnerable
12.4JX	Not Vulnerable
12.4MD	Not Vulnerable
12.4MR	12.4(12)MR2; available 14-Aug-07	12.4(12)MR2
12.4SW	Not Vulnerable
12.4T	12.4(11)T3 12.4(15)T1 12.4(2)T6; available 3-Sep-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(9)T5; available 24-Aug-07	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.4XA	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.4XB	12.4(2)XB6; available 16-Aug-07	12.4(2)XB6; available 16-Aug-07
12.4XC	12.4(4)XC7; available 17-Aug-07	12.4(4)XC7
12.4XD	12.4(4)XD8; available 13-Aug-07	12.4(4)XD8; available 30-Aug-07
12.4XE	12.4(6)XE3; available 17-Aug-07	12.4(6)XE3
12.4XF	Not Vulnerable
12.4XG	Not Vulnerable
12.4XJ	12.4(11)XJ4	12.4(11)XJ4
12.4XK	Vulnerable; first fixed in 12.4(11)T3	12.4(11)T3 12.4(9)T5; available 24-Aug-07 12.4(2)T6; available 20-Aug-07 12.4(4)T8; available 28-Aug-07 12.4(6)T8 12.4(15)T1
12.4XT	12.4(6)XT1; available 17-Aug-07	12.4(6)XT1
12.4XV	12.4(11)XV1; available 17-Aug-07	12.4(11)XV1
12.4XW	12.4(11)XW2 12.4(11)XW3; available 24-Aug-07	12.4(11)XW3; available 13-Aug-07

Fixed Software for Cisco Unified Communications Manager

CUCM Version	Fixed Release	Download Location
CUCM 3.3	Not affected	Software release 3.3 is not affected by CSCsi80102 (registered customers only)
CUCM 4.x	Not affected	None of 4.x software releases are affected by CSCsi80102 (registered customers only)
CUCM 5.0	Not Provided	Upgrade to CUCM 5.1(2b)
CUCM 5.1	5.1(2b)	http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2
CUCM 6.0	6.0(1a)	http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-60

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

The following vulnerabilities were discovered during internal testing:
- CSCsi80749 Crash while processing malformed SIP packet
- CSCsi80102 CUCM - Crash while processing malformed SIP packet
- CSCeb21064 Crash while processing malformed SIP packet
- CSCse40276 Router crashed by malformed SIP message
- CSCse68355 Router crashed by malformed SIP packet
- CSCsf30058 Memory leak when processing malformed SIP message
- CSCsf08998 MGCP stop responding after receiving malformed packet
- CSCsd81407 Router crash on receiving abnormal MGCP messages
- CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets received
- CSCse68138 Issue in handling specific packets in VOIP RTP Lib
The following vulnerabilities were encountered in customer networks:
- CSCsf11855 Crash while processing malformed SIP packet
- CSCsb24007 Memory corruption and unexpected reload on receiving a SIP packet
- CSCsc60249 Crash while processing malformed SIP packet
- CSCsi60004 H323 Proxy Unregistration from Gatekeeper
- CSCse05642 I/O memory corruption crash on a router
- CSCej20505 Router hangs with overly large packet

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Cisco IOS SIP DoS Vulnerability

Malformed MGCP Packet

Malformed SIP Invite Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

Malformed SIP Packet

SIP DoS

SIP Message DoS
Show All 20...

Related to This Advisory

Cisco IOS RTP Packet Denial of Service Vulnerability

Cisco IOS H.323 Packet Handling Denial of Service Vulnerability

Cisco IOS MGCP Packet Denial of Service Vulnerability

Cisco CallManager and Cisco IOS SIP Packet Denial of Service and Arbitrary Code Execution Vulnerability

Cisco IOS Software SIP Packet Handling Denial of Service Vulnerability

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice

Revision History

Revision 1.2	2007-August-20	Updated the SIP-related vulnerabilities for the Vulnerable Products section.
Revision 1.1	2007-August-08	Updated commands in the Infrastructure Access Control Lists (iACL) section.
Revision 1.0	2007-August-08	Initial public release.

Show Less

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Feedback

Leave additional feedback

Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Available Languages

Bias-Free Language

Cisco Security Advisory

Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Details

Workarounds

Fixed Software

Exploitation and Public Announcements

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

Legal Disclaimer

Feedback

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory