Vulnerability CVE-2009-2051 - CERT Civis.Net

Vulnerability Name:

CVE-2009-2051 (CCN-52814)

Assigned:

2009-08-26

Published:

2009-08-26

Updated:

2021-10-06

Summary:

Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x and 2.6.x before 2.6.1, and Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x, 5.x before 5.1(3g), 6.x before 6.1(4), and 7.x before 7.1(2) allow remote attackers to cause a denial of service (device reload or voice-services outage) via a malformed SIP INVITE message that triggers an improper call to the sipSafeStrlen function, aka Bug IDs CSCsz40392 and CSCsz43987.

CVSS v3 Severity:

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
5.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2009-2051

Source: OSVDB
Type: Broken Link
57453

Source: CCN
Type: SA36495
Cisco Unified Communications Manager SIP Header Denial of Service

Source: CCN
Type: SA36498
Cisco Unified Communications Manager Denial of Service Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
36498

Source: CCN
Type: SA36499
Cisco Unified Communications Manager Denial of Service Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
36499

Source: CCN
Type: SECTRACK ID: 1022775
Cisco Unified Communications Manager SIP and SCCP Processing Bugs Let Remote Users Deny Service

Source: CCN
Type: Cisco Applied Mitigation Bulletin: Document ID: 110849
Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager Denial of Service Vulnerabilities

Source: CISCO
Type: Patch, Vendor Advisory
20090826 Cisco Unified Communications Manager Denial of Service Vulnerabilities

Source: CCN
Type: cisco-sa-20100922-sip
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

Source: CISCO
Type: Vendor Advisory
20100922 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

Source: CCN
Type: cisco-sa-20090826-cucm
Cisco Unified Communications Manager Denial of Service Vulnerabilities

Source: CCN
Type: OSVDB ID: 57453
Cisco Unified Communications Manager SIP Trunk Malformed Packet Handling Remote DoS

Source: BID
Type: Third Party Advisory, VDB Entry
36152

Source: CCN
Type: BID-36152
Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1022775

Source: XF
Type: UNKNOWN
cucm-sip-invite-message-dos(52814)

Vulnerable Configuration:

Configuration 1:

cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version >= 5.0 and < 5.1(3g))

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version >= 6.1(1) and < 6.1(4))

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version >= 7.1 and < 7.1(2))

OR cpe:/o:cisco:ios:*:*:*:*:*:*:*:* (Version >= 12.2 and <= 12.4)

OR cpe:/o:cisco:ios:*:*:*:*:*:*:*:* (Version >= 15.0 and <= 15.1)

OR cpe:/o:cisco:ios_xe:*:*:*:*:*:*:*:* (Version >= 2.5.0 and <= 2.6.1)

Configuration CCN 1:

cpe:/a:cisco:unified_communications_manager:5.1(2b):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.0(1a):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:3.3(5):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2b:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(2):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1(1a):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr2a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr4:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.0(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1(2)su1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1(2):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(2a):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(3d):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(3):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(3a):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1(3c):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:7.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1(3):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3(1)sr.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3(2):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3(2)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:(2):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:(2b):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:::business:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2(3)sr3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2(3)sr2b:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2(3)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2(3)sr4:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3_sr3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_3_sr3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_3_sr2b:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_3sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3_1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_4:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_3a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2_3_sr2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3_1_sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1:(2a):*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_4a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.0_4a_su1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.0_1a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.0_1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1_3a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1_2b:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1_2a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1_2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:5.1_1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:7.0(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:6.1_1a:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:cisco.oval:def:178	V	cisco-sa-20100922-sip-CVE-2009-2051	2015-01-27