CVE-2012-3949

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions 6.x through 7.x before 7.1(5b)su5 Cisco Unified Communications Manager versions 8.x before 8.5(1)su4 Cisco Unified Communications Manager versions 8.6 before 8.6(2a)su1 Cisco IOS versions 12.2 through 12.4 Cisco IOS versions 15.0 through 15.2 Cisco IOS XE versions 3.3.xSG before 3.3.1SG Cisco IOS XE versions 3.4.xS Cisco IOS XE versions 3.5.xS

Description The SIP implementation in the affected software allows remote attackers to cause a denial of service via a crafted SIP message containing an SDP session description. This is due to insufficient input processing. The vulnerability can be exploited by sending a specially crafted SIP packet with a specified SDP session descriptor, potentially causing a service crash or device reload. Affected devices must be configured to process SIP messages and for pass-through of Session Description Protocol (SDP) for this vulnerability to be exploitable.

Recommendations For Cisco Unified Communications Manager versions 6.x through 7.x before 7.1(5b)su5, update to version 7.1(5b)su5 or later. For Cisco Unified Communications Manager versions 8.x before 8.5(1)su4, update to version 8.5(1)su4 or later. For Cisco Unified Communications Manager versions 8.6 before 8.6(2a)su1, update to version 8.6(2a)su1 or later. For Cisco IOS versions 12.2 through 12.4, update to a version outside of this range. For Cisco IOS versions 15.0 through 15.2, update to a version outside of this range. For Cisco IOS XE versions 3.3.xSG before 3.3.1SG, update to version 3.3.1SG or later. As a temporary workaround, consider restricting the processing of SIP messages and SDP pass-through to minimize the risk of exploitation.