Cisco CallManager Vulnerabilities

Cisco announced this week that their Cisco Unified CallManager and Cisco Unified Presence Servers are vulnerable to remote attacks by using specially crafted ICMP and UDP packets. Cisco has already released patches for them, here.

CallManager servers, which process VoIP calls on a network, can be crashed by sending attack traffic to TCP ports 2000 or 2443 to the server; these ports are used by Cisco’s proprietary call control protocols ? Skinny Call Control Protocol (SCCP, or “Skinny”) and Secure SCCP. This vulnerability exists in CallManager versions 3.x, 4.x and 5.0 (CUCM 6.0, the latest version (announced this month), is not affected, nor is the Presence Server).

Cisco says CallManager and the Presence Server are affected by attacks involving floods of ICMP Echo Requests (pings), or specially crafted UDP packets. The ping-flood vulnerability, which affects only CallManager 5.0 and Presence Server 1.x, could be used to crash call-processing or presence services on the respective servers.

The UDP vulnerability affects the IPSec Manager Service on CallManager and Presence Server, which uses UDP Port 8500. With this less severe vulnerability, an attack could not stop calls from being placed or received on a Cisco VoIP network, but could cause the loss of some features, such as the ability to forward calls or deploy configuration changes to clusters of CallManager and Presence Servers. Source: Cisco VoIP and presence servers vulnerable to new attacks

If you don’t want to load the patches yet, you can block these things at your router on the outside connections to your networks.

Permit TCP Port 2000 (SCCP) and TCP Port 2443 (Secure SCCP) to CallManager systems only from VoIP endpoints.

ICMP Echo Requests, Type 8, should be blocked for CallManager and Presence Server systems (although this could affect network management applications and troubleshooting).

UDP Port 8500 for IPSec Manager should be permitted only between CallManager/Presence Server systems configured in a cluster deployment.

The Register says,

CallManager versions 3.3, 4.1, 4.2 and 5.0, as well as Presence Server version 1.0, are affected by a number of security bugs. The vulnerabilities involve unspecified errors in the handling of large amounts of ICMP Echo packets and within IPSec Manager service, both of which might be used to launch denial of service attacks against vulnerable Cisco Unified CallManager and Presence Server software installations.

A separate bug means that CallManager software PBX systems might be taken down by port scanning. Source: Cisco wraps up against VoIP DoS bugs