Knowledge Search


×
 

Various implementations of the Session Initiation Protocol (SIP) contain vulnerabilities (CERT Advisory CA-2003-06)

  [JSA10308] Show Article Properties


Legacy Advisory Id:
PSN-2003-02-006
Product Affected:
All Juniper Networks M-series, J-series, and T-series routers
Problem:
Vulnerabilities have been reported in SIP implementations provided by various software vendors. SIP is not implemented on Juniper Networks M-series, J-series, and T-series routers. Therefore, these routers neither generate, respond to, nor act as a proxy for SIP messages. However, to prevent SIP messages from entering networks that contain vulnerable SIP-aware devices, customers might want to use the packet filtering features available in JUNOS software.
Solution:
The JUNOS software provides a firewall filter capability that can be used to block SIP messages.
Implementation:
To prevent SIP messages from being forwarded, construct a firewall filter similar to the following example (or add equivalent filter term to an existing filter), then apply the firewall filter as an input filter on all interfaces.

      [edit]
      user@router# show firewall filter block-SIP
       
      term no-SIP {
          from {
              protocol [tcp udp];
              destination-port 5060;
              fragment-offset 0;
          }
          then discard;
      }
      term pass-other {
          then accept;
      }
Related Links:
Risk Level:
None