Knowledge Search


Various implementations of the Session Initiation Protocol (SIP) contain vulnerabilities (CERT Advisory CA-2003-06)

  [JSA10308] Show Article Properties

Legacy Advisory Id:
Product Affected:
All Juniper Networks M-series, J-series, and T-series routers
Vulnerabilities have been reported in SIP implementations provided by various software vendors. SIP is not implemented on Juniper Networks M-series, J-series, and T-series routers. Therefore, these routers neither generate, respond to, nor act as a proxy for SIP messages. However, to prevent SIP messages from entering networks that contain vulnerable SIP-aware devices, customers might want to use the packet filtering features available in JUNOS software.
The JUNOS software provides a firewall filter capability that can be used to block SIP messages.
To prevent SIP messages from being forwarded, construct a firewall filter similar to the following example (or add equivalent filter term to an existing filter), then apply the firewall filter as an input filter on all interfaces.

      user@router# show firewall filter block-SIP
      term no-SIP {
          from {
              protocol [tcp udp];
              destination-port 5060;
              fragment-offset 0;
          then discard;
      term pass-other {
          then accept;
Related Links:
Severity Level: