Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1001
Multiple Cisco Products libSRTP Denial of Service Vulnerability
21 April 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco WebEx Meetings Server
Cisco Jabber
Cisco Adaptive Security Appliance (ASA)
Cisco IOS XE Software
Cisco IP Phones
Cisco DX Series IP Phones
Cisco Unified IP Phones
Cisco Unified Communications Manager
Cisco Unity Connection (UC)
Publisher: Cisco Systems
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-6360
Reference: ESB-2016.0835
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Multiple Cisco Products libSRTP Denial of Service Vulnerability
High
Advisory ID:
cisco-sa-20160420-libsrtp
Published:
2016 April 20 16:00 GMT
Version 1.0:
Final
CVSS Score:
Base - 7.8
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCux00686
CSCux00697
CSCux00707
CVE-2015-6360
CWE-119
Download CVRF
Download PDF
Email
Summary
Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol
(SRTP) library (libSRTP), which addresses a denial of service (DoS)
vulnerability. Multiple Cisco products incorporate a vulnerable version
of the libSRTP library.
The vulnerability is in the encryption processing subsystem of libSRTP
and could allow an unauthenticated, remote attacker to trigger a DoS
condition. The vulnerability is due to improper input validation
of certain fields of SRTP packets. An attacker could exploit this
vulnerability by sending a crafted SRTP packet designed to trigger
the issue to an affected device.
The impact of this vulnerability on Cisco products may vary depending
on the affected product. Details about the impact on each product
are outlined in the "Conditions" section of each Cisco bug for this
vulnerability. The bug IDs are listed at the top of this advisory and
in the table in "Vulnerable Products."
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp
Affected Products
Vulnerable Products
The following Cisco products have been confirmed to be impacted by
this vulnerability:
Product Defect Fixed Release Availability
Collaboration and Social Media
Cisco WebEx Meetings Server versions 1.x CSCux00729
Cisco WebEx Meetings Server versions 2.x CSCux00729 2.6.1 and 2.7 (June 2016)
Endpoint Clients and Client Software
Cisco Jabber CSCux00711 11.6
Network and Content Security Devices
Cisco Adaptive Security Appliance (ASA) CSCux00686 8.4.7.31
Software1 9.1.7
9.2.4.6
9.3.3.8
Routing and Switching - Enterprise and Service Provider
Cisco IOS XE Software2 CSCux04317 3.14.3S
3.13.5S
3.16.2S
3.10.7S
3.17.1S
3.15.3S
Voice and Unified Communications Devices
Cisco IP Phone 88x1 Series CSCux00708 11.0(1)
Cisco DX Series IP Phones CSCux00697 10.2(5)
Cisco IP Phone 88x5 Series CSCux00748 11.0(1)
Cisco Unified 7800 Series IP Phones CSCux00742 11.0(1)
Cisco Unified 8831 Series IP Conference CSCux01782
Phone
Cisco Unified 8961 IP Phone CSCux00707 9.4(2)SR3
(August 2016)
Cisco Unified 9951 IP Phone CSCux00707 9.4(2)SR3
(August 2016)
Cisco Unified 9971 IP Phone CSCux00707 9.4(2)SR3
(August 2016)
Cisco Unified Communications Manager (UCM) CSCux00716 10.5(2)SU3
Cisco Unified Communications Manager CSCux00716 10.5(2)SU3
Session Management Edition (SME)
Cisco Unified IP Phone 7900 Series CSCux00745 9.4(2)SR2
Cisco Unified IP Phone 8941 and 8945 (SIP) CSCux01786
Cisco Unified Wireless IP Phone CSCux37802 1.4.8.4
Cisco Unity Connection (UC) CSCux35568 10.5(2)SU3
1. Cisco ASA deprecated the phone proxy feature that uses SRTP as of
release 9.4.1.
2. Cisco IOS XE platforms are vulnerable if they are configured to use
Cisco Unified Border Element (CUBE) or Session Border Controller (SBC)
features to terminate or translate SRTP sessions.
Products Confirmed Not Vulnerable
Many Cisco products, such as Cisco IOS Software, support SRTP but do not
use libSRTP. Therefore, they are not affected by this vulnerability. Cisco
IOS XR Software and Cisco NX-OS Software do not use libSRTP. A product is
not affected by this vulnerability unless it is listed in the "Vulnerable
Products" section of this advisory.
Details
The libSRTP library is an open-source implementation of SRTP
originally authored by Cisco Systems and available for download at
https://github.com/cisco/libsrtp. The vulnerability has existed in
publicly available source code and libraries since the release of
libSRTP and therefore affects all versions prior to 1.5.3. The issue
is caused by insufficient input sanitization when processing certain
fields in an SRTP packet. Processing a packet designed to trigger the
issue may cause an integer underflow that could result in a failure of
subsequent memory operations. If this underflow occurs, decryption of the
packet could fail, causing memory corruption, an application crash, or a
system restart. The impact of this vulnerability on Cisco products varies
depending on the affected product.
Workarounds
Any workarounds will be documented in the Cisco bugs, which are
accessible through the Cisco Bug Search Tool.
Fixed Software
Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased
a license. By installing, downloading, accessing, or otherwise using
such software upgrades, customers agree to follow the terms of the
Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly or through a
Cisco authorized reseller or partner. In most cases this will be a
maintenance upgrade to software that was previously purchased. Free
security software updates do not entitle customers to a new software
license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to
consult the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a
free upgrade.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any malicious use of the vulnerability that is described in
this advisory.
Source
Cisco would like to thank Randell Jesup with the Mozilla team for
discovering and reporting this vulnerability.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp
Revision History
Version Description Section Status Date
1.0 Initial public release. - Final 2016-April-20
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE
DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO
RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits
the distribution URL is an uncontrolled copy and may lack important
information or contain factual errors. The information in this document
is intended for end users of Cisco products.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVxgwlX6ZAP0PgtI9AQK6wg//WNkUNVlx5WCXonEyHLVLUeciCVFV/QFP
Eqpsy1C0ant04tbXJybP1AUBAJ6Oy2/A2MJ7Fq4QgE5AbAOrknZ/u3gNeKfodwUy
JW+c76APee77yPm/Lpzv7M6XAO1oe+PsGawkDHPMaL0o0uh3NIT1O0DhC1P+o0/H
Vrwr1quF5WeV8LYmy68kFnk5IjGi5kWMNvPoasQlQfZCncK0guaZpMaQyTf13jjZ
dSHLlNaJtLwepZeWaJPNumq+zu7SUyuJp950Q8c3aKGQbpEV7iAha2RhTEIPjf55
9kIj3qm9hlQdaEzmfD9XhdsAodMP6KU2pzikIo39bgUOoJDxzHi6iAi7B9JA0d0L
G9wvS1mFkZZ6KsvXmydsQhQOBRYWNInpZtqSGjX2h5t1P+2IfJx4B7v7+Q363Aae
oD/S42dDzCb+bHF/+7VJSPYRN/kReGIlt9JZz4FWqyBR+ry3PFc0e55mWJH0Z2PN
RA09zjNpiRG9jUeI2tyNyftj47BuZBijTuW8lwKxgIrnush8LZ06EZvh3O44hQWf
+h+/LV881ud2nrRLSJ8CpU6fLecS0Gq3AOxypfWNoZj/oXKWV35stczzcK2BV6OM
p0WwKnnN2lWVv61qjtvm7oari8XHtsOHtg9rVN8/vgQemvzxF1bfMhx+X2HRvjMz
loonW+DMr5w=
=7HYr
-----END PGP SIGNATURE-----