04-23-2008 02:16 AM - edited 03-15-2019 10:14 AM
Hello all,
i use router 2811 with cm express for isdn dialing to pstn. my isp inform me that i have high voice traffic to some countries in asia and africa. i debuged it - all calls were over sip, which was enable on public interface in the default sip cfg (i didnt see anything about enable sip in the startup-config). now i disable tcp/udp sip transport, everything is ok but can you explain me what is possible or where is problem ?
thank you.
lukas
my hw:
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, RELEASE SOFTWARE (fc3) - c2800nm-advipservicesk9-mz.124-9.T7.bin"
sh sip-ua calls
SIP UAC CALL INFO
Number of SIP User Agent Client(UAC) calls: 0
SIP UAS CALL INFO
Call 1
SIP Call ID : 082b950025e80d108000001517184ec8@server480.none.com
State of the call : STATE_RECD_INVITE (11)
Substate of the call : SUBSTATE_NONE (0)
Calling Number : 1111
Called Number : 9009595036838
Bit Flags : 0x40401E 0x100 0x404
CC Call ID : 39669
Source IP Address (Sig ): my ip
Destn SIP Req Addr:Port : unknown ip:5060
Destn SIP Resp Addr:Port: unknown ip:5060
Destination Name : unknown ip
Number of Media Streams : 1
Number of Active Streams: 1
RTP Fork Object : 0x0
Media Mode : flow-through
Media Stream 1
State of the stream : STREAM_ACTIVE
Stream Call ID : 39669
Stream Type : voice+dtmf (1)
Negotiated Codec : g723r63 (24 bytes)
Codec Payload Type : 4
Negotiated Dtmf-relay : rtp-nte
Dtmf-relay Payload Type : 101
Media Source IP Addr:Port: my ip:17172
Media Dest IP Addr:Port : unknown ip:19056
Orig Media Dest IP Addr:Port : 0.0.0.0:0
04-23-2008 04:06 AM
Hi,
Check this info
http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml#@ID
Basicly SIP, H.323 and MGCP ports stay open no matter if you have configured/enabled any of these services and any one can connect to the router on port 5060 (for example) and if he guesses the righ pattern to go out through your pots dial-peers you'll get a quite nice bill from your telco ;)
So deny any ports that these protocols use if you have ISDN and internet on the same router. Permit them only from trusted hosts if that is possible and always put the sip no transport tcp/udp if you dont use SIP.
Use show tcp all brief and show ip sockets (if available in your IOS) to see on what ports your router is listening.
One of our clients said goodbuy to a couple of thousand dollars the day before this advisory was posted.
BR,
Stoyan
04-23-2008 05:32 AM
Hi Stoyan,
thank you for info. i read your advisory link but if i understand (there are many info about device crash) main reason of my problem could be this " can potentially lead to remote code execution" ? if yes, do you have any sample code please ?
lukas
04-23-2008 06:51 AM
As I told you, your router listens on these ports and it is possible that some one can remotely "execute code" on them, i.e. send call-setup signalization and eventually make a call. This does not meen that the have accessed the router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide