[ISN] Flaws Plague VOIP Phones

From: InfoSec News (isnat_private)
Date: Mon Jul 15 2002 - 03:49:33 PDT

  • Next message: InfoSec News: "[ISN] Navy unveils its network command"

    By Dennis Fisher 
    July 12, 2002 
    Security researchers at @stake Inc. have found more than a dozen
    vulnerabilities in one of the most popular lines of voice-over-IP
    phones, some of which have consequences that reach well beyond just
    the telephony infrastructure.
    The researchers were able to gain remote administrative access to
    Pingtel Corp.'s Xpressa SIP PX-1 phones, hijack calls to and from the
    handsets, and perform several other attacks as a result of the flaws,
    according to an advisory the firm released Friday.
    The problems affect phones running versions 1.2.5 through of
    Pingtel's VxWorks software.
    Pingtel, of Woburn, Mass., sells its Java-enabled handsets to both
    service providers and enterprise customers.
    The most serious of the vulnerabilities is the result of a combination
    of two issues. The Xpressa phones ship without a password for the
    administrator account, which carries an unchangeable username of
    "admin." If the password is not set, an attacker with physical access
    to the phone easily can set the password, giving himself
    administrative access to the phone.
    A remote attacker can perform this same task using the phone's Web
    user management interface.
    With that accomplished, the attacker can then remotely log in using
    the phone's Telnet server. The Xpressa phone can then be used as "a
    fully POSIX compliant network device with storage space, bandwidth and
    a CPU," @stake's advisory says. POSIX is the generic name for a group
    of IEEE standards known as Portable Operating System Interface for
    Having administrative access also gives an attacker the opportunity to
    execute several other attacks. For example, an authenticated user can
    alter the call forwarding settings on the phones to send all incoming
    calls to another Session Initiation Protocol (SIP) URL or landline
    phone number. Compounding this vulnerability is the fact that the
    phones would not notify users of the diverted incoming calls.
    @stake concentrated on the Pingtel phones because they're the market
    leaders, but many of the same problems could likely be found in other
    VoIP phones.
    "I don't think a lot of people building these devices are looking at
    the security implications of what they're doing," said Chris Wysopal,
    director of research and development at @stake, based in Cambridge,
    Mass. "These are not difficult attacks. It's just knowing where to
    look. You don't have to write any special tools."
    And because SIP is built on the IP protocol, the SIP-based VoIP phones
    could also be susceptible to well-known IP attacks such as IP spoofing
    or replay attacks.
    An attacker with administrative access could also cause a
    denial-of-service condition to an Xpressa phone by either changing the
    SIP listening ports; requiring authentication of incoming calls, in
    which case neither the caller nor the recipient is notified if the
    authentication fails; or assigning a port of 0 to the Web server.
    Also, because the Web user interface is only protected by
    base64-encoded username and password pairs, anyone sniffing traffic
    between the Web interface and a phone would be able to see the login
    information in what is essentially clear text, @stake said.
    In addition, there are several other operational issues that @stake
    identified, including the fact that the phones' firmware can be
    upgraded without administrative access.
    Pingtel has posted to its Web site a document called "Best Practices
    for Deploying Pingtel Phones," and has also written a detailed
    response to all of the issues the researchers raised. The company also
    recommends that customers upgrade to the 2.0.1 release of VxWorks,
    which addresses some of the vulnerabilities.
    Pingtel plans two more software updates this year that will fix the
    remaining issues.
    The full @stake advisory is available at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 07:26:13 PDT