Cisco IOS Software and Cisco Unified Communications Manager Session Initiation Protocol Packet Processing Memory Leak Vulnerability

Cisco IOS Software and Cisco Unified Communications Manager contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper processing of malformed packets by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious network requests to the targeted system. If successful, the attacker could cause the device to become unresponsive, resulting in a DoS condition.

Cisco confirmed this vulnerability and released software updates.

To exploit the vulnerability, an attacker must send malicious SIP packets to affected systems. Most environments restrict external connections using SIP, likely requiring an attacker to have access to internal networks prior to an attack. In addition, in environments that separate voice and data networks, attackers may have no access to networks that service voice traffic and allow the transmission of SIP packets, further increasing the difficulty of an exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.