[ISN] SIP weakness could expose VoIP gear to attacks

From: InfoSec News (isnat_private)
Date: Tue Feb 25 2003 - 05:01:13 PST

  • Next message: InfoSec News: "[ISN] Nuke Lab Can't Keep Snoops Out"

    http://www.nwfusion.com/news/2003/0224sip.html
    
    By Phil Hochmuth
    Network World Fusion
    02/24/03
    
    A glitch in some vendors' Session Initiation Protocol (SIP) software 
    could leave SIP-enabled devices - such as IP phones, IP PBXs and 
    instant messaging clients - vulnerable to denial-of-service attacks, 
    the CERT Coordination Center said last week. 
    
    The Oulu University Secure Programming Group (OUSPG) discovered that 
    when a certain SIP test suite (PROTOS c07-sip) is applied to SIP 
    clients devices or proxy servers, it caused "impacts ranging from 
    unexpected system behavior and denial of services to remote code 
    execution," according to the CERT warning. 
    
    The vulnerably relates to the "invite" messages SIP devices send to 
    each other to initiate sessions such as VoIP calls, text chat or 
    video. 
    
    SIP is an emerging VoIP protocol used to establish sessions among SIP 
    "agents," such as IP phones, softphones, text chat clients, and video 
    applications. Industry observers have called text-based SIP the 
    successor to the H.323 protocol, used widely in IP-based telephony and 
    videoconferencing equipment. Vendors with IP PBX and phone products 
    that use SIP include Alcatel, Avaya, Cisco, Mitel, Nortel, Pingtel, 
    Ploycom, and Siemens. Microsoft Windows Messenger - a Web telephony, 
    chat and video client included in Windows XP - also uses SIP. 
    
    According to CERT and Cisco's Web site, Cisco's 7940 and 7960 models 
    of IP phones running SIP images prior to version 4.2 are vulnerable, 
    as well as Cisco routers running Cisco IOS 12.2T and 12.2X. PIX 
    firewalls running software versions with SIP support - beginning with 
    version 5.2(1) and up to, but not including versions 6.2(2), 6.1(4), 
    6.0(4) and 5.2(9) - are also affected, Cisco says. Fixes to these 
    products are available from Cisco's Web site. 
    
    Microsoft says its SIP-based software is not affected by the 
    vulnerability.
    
    Nortel says its Succession Communication Server 2000 and Succession 
    Communication Server 2000 - Compact are affected by the vulnerability 
    only when SIP-T has been enabled on the IP PBX products. Patches for 
    these products are available at Nortel's Web site. 
    
    Other vendors with SIP-based products have not posted comments on the 
    CERT Coordination Center Web site.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 08:02:33 PST