Tip

Secure Cisco routers against IOS flaw attack

Learn how to secure Cisco routers against the recently announced Cisco IOS flaw, which could be exploited by hackers. Find out how to determine which routers are affected and ways to protect yourself from this vulnerability, including steps to disable the SIP protocol where it is not needed or to perform traffic mitigation by filtering traffic arriving at your Cisco routers.

In a recent security alert, Cisco Systems warned that the Cisco IOS is vulnerable to a malicious attack (see Cisco warns of critical IOS flaws). By exploiting this vulnerability, a hacker could execute malicious code on the Cisco device or conduct a denial-of-service attack. As at least 70% of the routers on the Internet are Cisco routers, this vulnerability is of great concern. What can you do to protect your router infrastructure? Let's find out.

Which products are affected?

Only Cisco routers that have the Cisco Unified Communications Manager and voice services enabled. If your router fits either of these conditions, you should take action. If you are unsure whether your routers have voice services (the SIP protocol) enabled, you should check.

What specific versions of the IOS are affected?

Only certain versions of IOS 12.3 and all versions of 12.4 are affected by this vulnerability -- and only if you have the SIP protocol enabled. To find out what version of the IOS you are running, just type show version.

How do I know whether I have the SIP protocol enabled?

It is important to note that the Cisco IOS can be vulnerable to attack even if SIP has not been specifically configured. All it takes is that the router be listening for SIP traffic.

Perform the following three commands to see whether your router is listening for incoming SIP requests:

show ip sockets

show udp

show tcp brief all

Note: The "show ip sockets" command may not work on newer versions of the IOS. The "show tcp brief all" command may not return any output. Here is sample output from my router:

 Router# show ip sockets ^ % Invalid input detected at '^' marker. Router# show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- --any-- 68 0 0 1 0 17 --listen-- --any-- 2887 0 0 11 0 17 0.0.0.0 0 192.168.1.100 67 0 0 2211 0 Router# show tcp brief all Router#

What you are looking for are any inbound openings (listeners) for the following protocols and port numbers: TCP 5060, 5061, 1720, 11720 and UDP 5060, 5061, 2427, 2517, 16384 - 32767.

As you can see from my router output, I did not have any. Here is what it might look like if you did have an opening:

 Router# show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 --any-- 5060 0 0 211 0 Router# show tcp brief all TCB Local Address Foreign Address (state) 835F9624 *.5060 *.* LISTEN

Notice the port number 5060 in both cases.

How to protect your Cisco routers from attack

Here are three ways to protect your routers from attack:

  1. Check to see whether there is an upgrade to the IOS software that contains the bug fix for this vulnerability. At the time of this writing, there are no patched IOS versions available. While it may be painful to upgrade your routers, this is a good solution. If your routers are vulnerable, however, I advise you not to wait for a new IOS version, because your routers could be attacked in the interim. What you should do immediately is either disable the SIP service if it is not needed or perform traffic mitigation to ensure that only legitimate traffic can be sent to and from the affected Cisco routers.
  2. If the SIP protocol (voice services) is not needed on this device, you can disable it with the following commands:

    Router(config)# sip-ua
    Router(config-sip-ua)# no transport udp
    Router(config-sip-ua)# no transport tcp
    Router(config-sip-ua)# end

    These commands would disable the SIP protocol and protect you from this vulnerability.

  3. Lastly, if the SIP protocol (voice services) is needed on your router and there is no IOS upgrade available, you should go through traffic mitigation by authorising only valid traffic to your affected Cisco IOS devices. This can be as simple as creating an access list (ACL) that permits all SIP traffic from known SIP devices on your internal LAN and denies SIP traffic from all other hosts.

    Here is an example: Sample ACL: Deny unknown SIP traffic

IOS secure copy vulnerability

In a separate announcement, Cisco said that certain versions of the IOS are vulnerable to a secure copy (SCP) vulnerability. To protect your routers from attack via this vulnerability, either upgrade to the latest IOS version (which resolves the SCP vulnerability issue) or disable the secure copy service with this command:

Router(config)# no ip scp server enable

Summary

Commonly, Cisco routers directly connected to the Internet are not processing voice traffic, so it is more likely that internal routers processing voice may be affected by this vulnerability. The most important thing is that you determine which routers are affected. To protect yourself from this vulnerability, you can either disable the SIP protocol where it is not needed, or you can perform traffic mitigation by filtering traffic arriving at your Cisco routers.

You can find more information on this IOS vulnerability, including the specific version numbers that are affected, from Cisco Systems.

About the author: David Davis (CCIE #9369, CWNA, VCP, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. You can find his how-to articles and video course covering Windows, Cisco networking, and virtualisation at his Web site, HappyRouter.com.

Read more on Network routing and switching