Summary

• Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) library (libSRTP), which addresses a denial of service (DoS) vulnerability. Multiple Cisco products incorporate a vulnerable version of the libSRTP library.
  
  The vulnerability is in the encryption processing subsystem of libSRTP and could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device.
  
  The impact of this vulnerability on Cisco products may vary depending on the affected product. Details about the impact on each product are outlined in the "Conditions" section of each Cisco bug for this vulnerability. The bug IDs are listed at the top of this advisory and in the table in "Vulnerable Products."
  
  This advisory is available at the following link:
  
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp

Affected Products

• Vulnerable Products

  The following Cisco products have been confirmed to be impacted by this vulnerability:
  
  

  Product	Defect	Fixed Release Availability
  Collaboration and Social Media
  Cisco WebEx Meetings Server versions 1.x	CSCux00729
  Cisco WebEx Meetings Server versions 2.x	CSCux00729	2.6.1 and 2.7 (June 2016)
  Endpoint Clients and Client Software
  Cisco Jabber Guest	CSCuz52891
  Cisco Jabber for Android	CSCuz52906	11.6
  Cisco Jabber for Apple iOS	CSCux82920	11.6
  Cisco Jabber for Mac	CSCuz52915	11.6
  Cisco Jabber for Windows	CSCux80499	11.6
  Network and Content Security Devices
  Cisco Adaptive Security Appliance (ASA) Software1	CSCux00686	8.4.7.31 9.1.7 9.2.4.6 9.3.3.8
  Routing and Switching - Enterprise and Service Provider
  Cisco IOS XE Software2	CSCux04317	3.14.3S 3.13.5S 3.16.2S 3.10.7S 3.17.1S 3.15.3S
  Voice and Unified Communications Devices
  Cisco IP Phone 88x1 Series	CSCux00708	11.0(1)
  Cisco DX Series IP Phones	CSCux00697	10.2(5)
  Cisco IP Phone 88x5 Series	CSCux00748	11.0(1)
  Cisco Unified 7800 Series IP Phones	CSCux00742	11.0(1)
  Cisco Unified 8831 Series IP Conference Phone	CSCux01782
  Cisco Unified 8961 IP Phone	CSCux00707	9.4(2)SR3 (August 2016)
  Cisco Unified 9951 IP Phone	CSCux00707	9.4(2)SR3 (August 2016)
  Cisco Unified 9971 IP Phone	CSCux00707	9.4(2)SR3 (August 2016)
  Cisco Unified Communications Manager (UCM)	CSCux00716	10.5(2)SU3
  Cisco Unified Communications Manager Session Management Edition (SME)	CSCux00716	10.5(2)SU3
  Cisco Unified Communications for Microsoft Lync	CSCuz52971	11.6 (Summer 2016)
  Cisco Unified IP Phone 7900 Series	CSCux00745	9.4(2)SR2
  Cisco Unified IP Phone 8941 and 8945 (SIP)	CSCux01786
  Cisco Unified Wireless IP Phone	CSCux37802	1.4.8.4
  Cisco Unity Connection (UC)	CSCux35568	10.5(2)SU3
  Cisco Virtualization Experience Media Engine	CSCuz52961	11.7 (September 2016)

  1. Cisco ASA deprecated the phone proxy feature that uses SRTP as of release 9.4.1.
  
  2. Cisco IOS XE platforms are vulnerable if they are configured to use Cisco Unified Border Element (CUBE) or Session Border Controller (SBC) features to terminate or translate SRTP sessions.

  CSCuz52891

  CSCux80499

  Products Confirmed Not Vulnerable

  Many Cisco products, such as Cisco IOS Software, support SRTP but do not use libSRTP. Therefore, they are not affected by this vulnerability. Cisco IOS XR Software and Cisco NX-OS Software do not use libSRTP. A product is not affected by this vulnerability unless it is listed in the "Vulnerable Products" section of this advisory.

Details

• The libSRTP library is an open-source implementation of SRTP originally authored by Cisco Systems and available for download at https://github.com/cisco/libsrtp. The vulnerability has existed in publicly available source code and libraries since the release of libSRTP and therefore affects all versions prior to 1.5.3. The issue is caused by insufficient input sanitization when processing certain fields in an SRTP packet. Processing a packet designed to trigger the issue may cause an integer underflow that could result in a failure of subsequent memory operations. If this underflow occurs, decryption of the packet could fail, causing memory corruption, an application crash, or a system restart. The impact of this vulnerability on Cisco products varies depending on the affected product.

Workarounds

• Any workarounds will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  
  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers Without Service Contracts
  
  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  
  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

• Cisco would like to thank Randell Jesup with the Mozilla team for discovering and reporting this vulnerability.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp

Revision History

• Version	Description	Section	Status	Date
  1.1	Updated fixed versions table.	Vulnerable Products	Final	2016-May-10
  1.0	Initial public release.	-	Final	2016-April-20

  Show Less