VARIoT IoT vulnerabilities database
VAR-200303-0124 | No CVE | SMS Denial of Service Vulnerability on All Siemens 35 and 45 Series Mobile Phones |
CVSS V2: - CVSS V3: - Severity: - |
Siemens * 35 and * 45 support SMS services.
Siemens * 35 and * 45 series mobile phones have vulnerabilities when receiving special text messages. Remote attackers can use this vulnerability to conduct denial of service attacks on mobile phones.
The attacker sends a message in the form of "% String" to Siemens * 35 and * 45 series mobile phones, which can cause the * 35 mobile phones to stop working and cause the * 45 series mobile phones to have a 2 minute read delay. Note that hostile characters must be capitalized And the message needs to be quoted.
Cell phones can drain their batteries after receiving 10-15 similar messages.
There is also a similar form of local vulnerability. Messages of the form "% some_word" (lowercase characters) can also cause the above problems.
VAR-200303-0126 | No CVE | HP JetDirect Printer SNMP JetAdmin Device Password Disclosure Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The JetDirect printer is a printer with integrated network capabilities developed by Hewlett Packard. The HP JetDirect printer does not properly handle certain SNMP GET requests, which can be exploited by remote attackers to obtain printer device passwords and change printer settings. The attacker sends a special SNMP GET request to the printer with this vulnerability. The printer returns a hexadecimal device password to the requester, which allows the remote user to access and change the printer's configuration settings. This vulnerability is different from the \"HP JetDirect Printer SNMP GET Get Administrator Password Remote Vulnerability\" ( http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=3172 ). The requested OID is different.
It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances
VAR-200303-0122 | CVE-2002-1337 |
Remote Buffer Overflow in Sendmail
Related entries in the VARIoT exploits database: VAR-E-200303-0035, VAR-E-200303-0036 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. sendmail A buffer overflow vulnerability was discovered in message processing. The vulnerability could allow a third party to gain administrative privileges remotely. This problem, sendmail is caused by receiving a message with maliciously constructed header information. For this reason, LAN is running on a host installed within sendmail Even other MTA (Mail Transfer Agent) You may be affected by the vulnerability if you receive a malicious message relayed from .A third party may be able to remotely obtain administrator privileges. Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.
Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.
Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. Most organizations have various mail transfer agents (MTAs) at various locations within their network, at least one of which is directly connected to the Internet. According to statistics, Internet mail traffic handled by Sendmail accounts for 50\\% to 75\\% of the total. Many UNIX and Linux workstations run Sendmail by default. When an email header contains an address or address list (eg \"From\", \"To\", \"CC\"), Sendmail will attempt to check whether the provided address or address list is valid. Sendmail does this using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree. Sendmail will check this buffer and stop adding data to it if it is found to be full. Sendmail goes through several safety checks to ensure that characters are interpreted correctly. On most Unix or Linux systems, Sendmail runs as the root user. Because the attack code can be included in what appears to be a normal email message, it can easily penetrate many common packet filtering devices or firewalls without being detected. Successful exploitation of an unpatched sendmail system leaves no messages in the syslog. However, on patched systems, attempts to exploit this vulnerability leave the following log message: Dropped invalid comments from header address This vulnerability affects both the commercial and open source versions of Sendmail, and is also reported to have been tested in the lab environment has been successfully exploited
VAR-200302-0050 | No CVE | USRobotics Broadband Router GET Request Remote Denial of Service Attack Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
US Robotics offers a wide range of broadband router devices, including the US Robotics Broadband-Router 8000A/8000-2 (USR848000A-02). The US Robotics 8000A/8000-2 broadband router lacks proper handling of long GET requests, and remote attackers can exploit this vulnerability to perform denial of service attacks on routers. The US Robotics 8000A/8000-2 broadband router includes an embedded WEB service program. Due to the lack of proper handling of long GET requests, an attacker submitting a long malicious input can cause the device to crash and generate a denial of service attack. USRobotics Broadband-Routers are reportedly prone to denial of service attacks. An attacker can exploit this vulnerability by issuing an overly long GET request to the embedded web server of a vulnerable USRobotics device. When the device attempts to process the malformed input, it will crash. It has been reported that this condition may be reproduced from within the internal network.
This condition may be due to a buffer overflow. This issue is reported to affect v2.5 of US Robotics Broadband-Router 8000A/8000-2 (USR848000A-02)
VAR-200302-0055 | No CVE | Axis Communications Video Server Command.CGI File Creation Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
It has been reported that the Axis Video Servers do not properly handle input to the 'command.cgi' script. Because of this, an attacker may be able to create arbitrary files that would result in a denial of service, or potentially command execution.
VAR-200312-0380 | CVE-2003-1413 | Apple QuickTime/Darwin Streaming Server Remote file leak vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote attackers to determine the existence of arbitrary files by using ".." sequences in the filename parameter and comparing the resulting error messages. It has been reported that the QuickTime/Darwin Streaming Server reveals information that may be sensitive. When certain requests are made, a difference in reponses could make possible for an attacker to gain information about the local host. There is a vulnerability in parse_xml.cgi of Apple Darwin Streaming Server 4.1.1
VAR-200312-0381 | CVE-2003-1414 | Apple QuickTime/Darwin Streaming Server parse_xml.cgi File leak vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in parse_xml.cg Apple Darwin Streaming Server 4.1.2 and Apple Quicktime Streaming Server 4.1.1 allows remote attackers to read arbitrary files via a ... (triple dot) in the filename parameter. The vulnerability exists due to insufficient sanitization of some parameters given to the parse_xml.cgi script. Information obtained in this manner may be used by an attacker to launch more organinzed attacks against a vulnerable system.
This vulnerability was tested on SS for Microsoft Windows systems. Remote attackers can read arbitrary files with the help of the ..
VAR-200303-0102 | CVE-2003-0055 | Apple Quicktime/Darwin MP3 Broadcaster File name remote buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. A vulnerability has been discovered in the Quicktime/Darwin MP3 Broadcaster. The problem occurs due to insufficient bounds checking on MP3 filenames. Processing an MP3 file with a name of excessive length may trigger the condition, effectively causing memory to be overwritten.
This issue may be exploitable by a remote attacker to execute arbitrary commands with the privileges of the user running the vulnerable application. By default, these services listen on port 1220/TCP with root user privileges. A remote or local attacker could exploit this vulnerability to serve malicious MP3 files and trigger a buffer overflow. When the MP3 broadcast module processes MP3 files with file names exceeding 256 bytes, buffer overflow may occur
VAR-200303-0100 | CVE-2003-0053 | Apple QuickTime/Darwin Streaming Server Parse_XML.CGI Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. When an invalid filename is specified from this page, it is output to an error page without sufficient sanitization of HTML and script code. This may permit cross-site scripting attacks to occur if an attacker constructs a malicious link to the page and can entice web users to visit it. Apple Darwin and QuickTime stream management server is a WEB-based service that allows administrators to manage Darwin and QuickTime stream servers. By default, these services listen to port 1220/TCP with ROOT privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not sufficiently filter the non-existing file name parameters. If an attacker passes a non-existent file name parameter to the parse_xml.cgi script, the script will generate an error message and record it. If the parameter provided by the attacker contains malicious script code, the administrator can use the Script code is executed on the browser
VAR-200303-0099 | CVE-2003-0052 | Apple Quicktime/Darwin Streaming server parse_xml.cgi Directory list vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. This may lead to disclosure of sensitive information which may aid in further attacks against the system hosting the software. The attacker may need to view the source code of the page to view the directory listing output. By default, these services listen on port 1220/TCP with root user privileges. The parse_xml.cgi of the Darwin/QuickTime streaming server does not adequately filter user-submitted input. The Darwin stream management server relies on the parse_xml.cgi application program to authenticate and interact with users. This CGI is written in PERL. Because the program uses the open() function incorrectly, an attacker can use this function to open directory nodes under the UNIX operating system, resulting in For information leakage, there are also vulnerabilities that allow attackers to view source code information of WEB scripts
VAR-200303-0098 | CVE-2003-0051 | Apple Quicktime/Darwin Streaming server parse_xml.cgi Remote path leak vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter. Under some circumstances, it may be possible to reveal the physical path that the vulnerable server is installed too. Access to this information may aid in launching more organized attacks against system resources.
This vulnerability was originally described in BID 6932 "Multiple Remote
QuickTime/Darwin Streaming Administration Server Vulnerabilities". It is
now being assigned a separate BID. By default, these services listen on port 1220/TCP with root user privileges. If an attacker passes NULL as the file name parameter and submits it to the parse_xml.cgi script, the script will return information including the physical path where the service program is installed, and the attacker can use this information to further attack the system
VAR-200303-0097 | CVE-2003-0050 | Apple Quicktime/Darwin Streaming server parse_xml.cgi Remote command execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters. A command execution vulnerability has been discovered in the Darwin/QuickTime Streaming Servers. The vulnerability exists due to insufficient sanitization performed on some user-supplied input.
An attacker can exploit this vulnerability by submitting a specially crafted string to the parse_xml.cgi application that include malicious shell commands. These commands, when received by the Streaming Administration Servers, will be executed and may be used to compromise a vulnerable system. By default, these services listen on port 1220/TCP with root user privileges. The Darwin/QuickTime streaming server does not adequately sanitize user-submitted input. The Darwin stream management server relies on the parse_xml.cgi application to authenticate and interact with the user. This CGI is written in PERL and passes the input directly to the open() function without sufficient processing. When the pipe \'\'|\'\' character is inserted When entered, it can cause the open() function to execute the embedded command, and the input of the parameters can be submitted to CGI through a GET request. The new version of the Darwin stream management server provides partial filtering, but inserting NULL characters between the last character of the command and the pipe bypasses the check and executes arbitrary commands on the system with the privileges of the stream server process
VAR-200303-0101 | CVE-2003-0054 | Apple QuickTime/Darwin Streaming Server Malicious Port Request Code Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser. It has been reported that a vulnerability exists in the handling of malicious requests for streaming media in the Apple QuickTime/Darwin Streaming Server. A remote attacker can execute some code with a request to port 7070 inside a parameter in the rtsp DESCRIBE method. This vulnerability will insert it into a log file and only execute code when this log is read by a browser
VAR-201411-0060 | CVE-2014-3501 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified.
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Apache Cordova for Android versions 3.5.0 and prior are vulnerable. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
. Android Platform Release: 04 Aug 2014
Security issues were discovered in the Android platform of Cordova. Other Cordova platforms such as iOS are unaffected, and do not have an update.
The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.
For your convenience, the text of these CVEs is included here.
A blog post is available at http://cordova.apache.org/#news
CVE-2014-3500: Cordova cross-application scripting via Android intent URLs
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
Cordova Android versions up to 3.5.0
Description:
Android applications built with the Cordova framework can be launched through
a special intent URL. A specially-crafted URL could cause the Cordova-based
application to start up with a different start page than the developer
intended, including other HTML content stored on the Android device. This has
been the case in all released versions of Cordova up to 3.5.0, and has been
fixed in the latest release (3.5.1). We recommend affected projects update
their applications to the latest release.
Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.
Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.
CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
All released Cordova Android versions
Description:
Android applications built with the Cordova framework use a WebView component
to display content. Cordova applications can specify a whitelist of URLs which
the application will be allowed to display, or to communicate with via
XMLHttpRequest. This whitelist, however, is not used by the WebView component
when it is directed via JavaScript to communicate over non-http channels.
It is possible to mitigate this attack vector by adding a CSP meta tag to all
HTML pages in the application, to allow connections only to trusted sources.
App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk
of XAS attacks against their applications, which could then use this mechanism
to reach unintended servers. See CVE-2014-3500 for more information on a
possible XAS vulnerability.
Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1, and consider adding CSP meta tags to their application
HTML.
Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.
CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
intent URLs
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Cordova Android versions up to 3.5.0
Description:
Android applications built with the Cordova framework can launch other
applications through the use of anchor tags, or by redirecting the webview to
an Android intent URL. An attacker who can manipulate the HTML content of a
Cordova application can create links which open other applications and send
arbitrary data to those applications. An attacker who can run arbitrary
JavaScript code within the context of the Cordova application can also set the
document location to such a URL. By using this in concert with a second,
vulnerable application, an attacker might be able to use this method to send
data from the Cordova application to the network.
The latest release of Cordova Android takes steps to block explicit Android
intent urls, so that they can no longer be used to start arbitrary applications
on the device.
Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.
Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems
VAR-200312-0084 | CVE-2003-1109 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Session Initiation Protocol (SIP) implementation in multiple Cisco products including IP Phone models 7940 and 7960, IOS versions in the 12.2 train, and Secure PIX 5.2.9 to 6.2.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. These vulnerabilities include buffer overflow and improper handling of request messages containing illegal headers, which can cause buffer overflow on devices running this protocol, resulting in denial of service, and may also cause unauthorized access or remote execution of arbitrary commands. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
VAR-200312-0209 | CVE-2003-1108 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Session Initiation Protocol (SIP) implementation in Alcatel OmniPCX Enterprise 5.0 Lx allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. Provided by many vendors SIP For service implementation, SIP Used when establishing a session INVITE Malicious due to poor message processing INVITE Service disruption by creating and sending requests (DoS) There is a vulnerability that becomes a condition.SIP Service disrupted service operation (DoS) State, or SIP Arbitrary code may be executed with the privilege of executing the service. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
VAR-200312-0090 | CVE-2003-1115 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Session Initiation Protocol (SIP) implementation in Nortel Networks Succession Communication Server 2000, when using SIP-T, allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
VAR-200312-0086 | CVE-2003-1111 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Session Initiation Protocol (SIP) implementation in multiple dynamicsoft products including y and certain demo products for AppEngine allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
VAR-200312-0085 | CVE-2003-1110 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Session Initiation Protocol (SIP) implementation in Columbia SIP User Agent (sipc) 1.74 and other versions before sipc 2.0 build 2003-02-21 allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----
VAR-200312-0089 | CVE-2003-1114 | Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Session Initiation Protocol (SIP) implementation in Mediatrix Telecom VoIP Access Devices and Gateways running SIPv2.4 and SIPv4.3 firmware allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances.
These issues are related to handling of SIP INVITE messages.
Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
Original release date: February 21, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
In addition to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
I.
SIP is a text-based protocol for initiating communication and data
sessions between users.
The Oulu University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
OUSPG's most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept in
order to set up sessions. Note that "throttling" is an expected
behavior.
Specifications for the Session Initiation Protocol are available in
RFC3261:
http://www.ietf.org/rfc/rfc3261.txt
OUSPG has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
The IETF Charter page for SIP is available at
http://www.ietf.org/html.charters/sip-charter.html
II. Impact
Exploitation of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
III. Solution
Many of the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
Disable the SIP-enabled devices and services
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client and a
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services.
Please note that this workaround may not protect vulnerable devices
from internal attacks.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
other sites.
Block SIP requests directed to broadcast addresses at your router.
Since SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
America Online Inc
Not vulnerable.
Apple Computer Inc.
There are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
Protocol.
Borderware
No BorderWare products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
certainly well-received.
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
F5 Networks
F5 Networks does not have a SIP server product, and is therefore
not affected by this vulnerability.
Fujitsu
With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
IBM
SIP is not implemented as part of the AIX operating system.
IP Filter
IPFilter does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
IPTel
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
http://www.iptel.org/ser/security/
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Hewlett-Packard Company
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software, send
an E-mail message to: mailto:security-alert@hp.com
Lucent
No Lucent products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC Corporation
===================================================================
NEC vendor statement for VU#528719
===================================================================
sent on February 13, 2002
Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
Other Network products
* We continue to check our products which support SIP protocol.
===================================================================
NETBSD
NetBSD does not ship any implementation of SIP.
NETfilter.org
As the linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
NetScreen
NetScreen is not vulnerable to this issue.
Network Appliance
NetApp products are not affected by this vulnerability.
Nokia
Nokia IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Nortel Networks
Nortel Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
For further information about Nortel Networks products please
contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
9009
Contacts for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
Novell
Novell has no products implementing SIP.
Secure Computing Corporation
Neither Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
SecureWorx
We hereby attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
Stonesoft
Stonesoft's StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Symantec
Symantec Corporation products are not vulnerable to this issue.
Xerox
Xerox is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
available.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/528719
3. http://www.cert.org/tech_tips/denial_of_service.html
4. http://www.ietf.org/html.charters/sip-charter.html
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their support of this
research.
_________________________________________________________________
Feedback on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-06.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Feb 21, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG
IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ
17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O
Eisa8/wivlM=
=p961
-----END PGP SIGNATURE-----