CVE-2010-2835

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2 through 12.4 and 15.0 through 15.1 Cisco IOS XE versions 2.5.x and 2.6.x before 2.6.1 Cisco Unified Communications Manager versions 6.x before 6.1(5), 7.0 before 7.0(2a)su3, 7.1su before 7.1(3b)su2, 7.1 before 7.1(5), and 8.0 before 8.0(1)

Description The issue allows an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled, via a SIP REFER request with an invalid Refer-To header. This can lead to a denial of service, resulting in a device reload or voice-services outage. Cisco has released software updates that address these vulnerabilities. Mitigations are available to limit exposure to the vulnerabilities.

Recommendations For Cisco IOS versions 12.2 through 12.4 and 15.0 through 15.1, update to a fixed version. For Cisco IOS XE versions 2.5.x and 2.6.x before 2.6.1, update to version 2.6.1 or later. For Cisco Unified Communications Manager versions 6.x before 6.1(5), 7.0 before 7.0(2a)su3, 7.1su before 7.1(3b)su2, 7.1 before 7.1(5), and 8.0 before 8.0(1), update to the respective fixed versions. As a temporary workaround, consider disabling SIP operation on affected devices until a patch is available. Restrict access to the SIP implementation to minimize the risk of exploitation.