Cisco Cisco IOS Software Release 12.4(2)XB6

CSCsi80749

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also 
shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following 
protocols or features:

Session Initiation Protocol (SIP) 

Media Gateway Control Protocol (MGCP) 

Signaling protocols H.323, H.254 

Real-time Transport Protocol (RTP) 

Facsimile reception 

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed 
Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all 
vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from 
disabling the protocol or feature itself. 

This advisory is posted at 

There are no open caveats in this release.

There are no resolved caveats in this release.

There are no open caveats in this release.

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol 
Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite 
(VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider 
Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability. 

This issue is triggered by a logic error when processing extended communities on the PE device. 

This issue cannot be deterministically exploited by an attacker. 

Cisco has released free software updates that address these vulnerabilities. Workarounds that 
mitigate these vulnerabilities are available.