Preview Tool

Cisco Bug: CSCuo19008 - Voice source-group enhancement to match L3 packet source IP address

Last Modified

Feb 01, 2017

Products (1)

  • Cisco IOS

Known Affected Releases


Description (partial)

"voice source-group" is used to provide different level of services to different customers on the basis of source IP address of clients by service provider. But as per current behavior of voice source group the source address is checked in SIP Via header instead of L3 packet source IP address so there is a security Vulnerability that a client with regular service can have premium service by forging a Via header with IP address of premium service client

Client A (Regular service) = AA.AA.AA.AA
Client В (Premium service) = BB.BB.BB.BB

voice source-group incoming-pgws
access-list 10
carrier-id target incoming-pgws
translation-profile incoming incoming-pgws
access-list 10 permit BB.BB.BB.BB
=== The problem is if Client A forge a new Via header in its SIP Invite to ITSP gateway with IP address of Client B then Client A is able to use Premium Service even though IP address (source) of Client A is not available in access list configured for premium service.
___ Example with forged bottom VIA field with IP of Client B sent by client A
SIP: INVITE sip:0004xxx@ZZ.ZZ.ZZ.ZZ:5060 SIP/2.0
SIP: Via:SIP/2.0/UDP AA.AA.AA.AA:5060;branch=z9hG4bK-26810-1-0
SIP: Via:SIP/2.0/UDP xx.xx.xx.xx:5060;branch=z9hG4bK-26810-1-0
SIP: Via:SIP/2.0/UDP BB.BB.BB.BB:5060;branch=z9hG4bK-26810-1-0 ==== Forged header with IP of Client B

Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.