VARIoT IoT vulnerabilities database

The Session Initiation Protocol (SIP) implementation in multiple Cisco products including IP Phone models 7940 and 7960, IOS versions in the 12.2 train, and Secure PIX 5.2.9 to 6.2.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. These vulnerabilities include buffer overflow and improper handling of request messages containing illegal headers, which can cause buffer overflow on devices running this protocol, resulting in denial of service, and may also cause unauthorized access or remote execution of arbitrary commands. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in Alcatel OmniPCX Enterprise 5.0 Lx allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. Provided by many vendors SIP For service implementation, SIP Used when establishing a session INVITE Malicious due to poor message processing INVITE Service disruption by creating and sending requests (DoS) There is a vulnerability that becomes a condition.SIP Service disrupted service operation (DoS) State, or SIP Arbitrary code may be executed with the privilege of executing the service. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in Nortel Networks Succession Communication Server 2000, when using SIP-T, allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in multiple dynamicsoft products including y and certain demo products for AppEngine allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in Columbia SIP User Agent (sipc) 1.74 and other versions before sipc 2.0 build 2003-02-21 allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in Mediatrix Telecom VoIP Access Devices and Gateways running SIPv2.4 and SIPv4.3 firmware allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in IPTel SIP Express Router 0.8.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. These vulnerabilities include buffer overflow and improper handling of request messages containing illegal headers, which can cause buffer overflow on devices running this protocol, resulting in denial of service, and may also cause unauthorized access or remote execution of arbitrary commands. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

The Session Initiation Protocol (SIP) implementation in Ingate Firewall and Ingate SIParator before 3.1.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices. These issues may be exploited to cause a denial of services in devices which implement the protocol. It has also been reported that unauthorized access to devices may occur under some circumstances. These issues are related to handling of SIP INVITE messages. Exploitation and the specific nature of each vulnerability may depend on the particular implementation. SIP is part of the IETF standards process, and it builds on foundations such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext Transfer Protocol). It is used to establish, change and terminate calls between users based on IP networks. These vulnerabilities include buffer overflow and improper handling of request messages containing illegal headers, which can cause buffer overflow on devices running this protocol, resulting in denial of service, and may also cause unauthorized access or remote execution of arbitrary commands. Cisco IP Telephony Modules 7940 and 7960 have these vulnerabilities, which can cause denial of service, and are documented in Cisco Bug IDs CSCdz26317, CSCdz29003, CSCdz29033, and CSCdz29041. Versions running Cisco IOS 12.2T train or any 12.2 \'\'X\'\' train will reset due to incorrect handling of SIP protocols containing illegal headers. These vulnerabilities are documented in Cisco Bug IDs CSCdz39284 and CSCdz41124. Devices running an IOS version with this vulnerability and configured as a SIP gateway will cause the vulnerability generated by CSCdz39284. However, any version of IOS running with this vulnerability and configured in NAT mode will cause the vulnerability described by CSCdz41124 when SIP uses UDP for transmission. The Cisco PIX firewall resets when it receives a fragmented SIP INVITE message. Since the current SIP patch does not support fragmented SIP messages, the vulnerability described by Cisco Bug ID CSCdx47789 is temporarily patched by dropping SIP fragments. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact <http://www.nortelnetworks.com/help/contact/global/> web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE-----

Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. Cisco Internetwork Operating System (IOS) is the operating system for the majority of Cisco routers. Open Shortest-Path First (OSPF) is a interior routing protocol. Cisco IOS In 1 For each network interface 255 More than one host neighbor relationship Such as trying to establish OSPF neighbor announcements Service operation by receiving (DoS) A vulnerability that causes a condition exists.Communication between networks connected to the router may become impossible. The overflow occurs when more than 255 OSPF neighbors are announced. This may make it possible to execute malicious instructions on a device running a vulnerable version of the software. Denial of service is also possible. This issue corresponds to Cisco Bug ID CSCdp58462. When the OSPF implementation included in some Cisco IOS versions receives notifications from more than 255 OSPF neighbors on an interface, the IO memory structure will be damaged. FX of Phenoelit research provides a program that exploits this vulnerability to execute malicious code on the router

SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. PHPNuke, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries. As a result, attackers may supply malicious parameters to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. A remote attacker may use this vulnerability to obtain the encrypted password HASH value of the PHP-Nuke administrator, thereby gaining administrator privileges

Buffer overflow in Symantec Norton AntiVirus 2002 allows remote attackers to execute arbitrary code via an e-mail attachment with a compressed ZIP file that contains a file with a long filename. The Norton Antivirus 2002 email scanner is vulnerable to a buffer overflow. This could potentially result in code execution in the security context of the antivirus scanner. When parsing this mail, a buffer overflow may occur. Carefully constructed file name data may execute arbitrary instructions on the system with the process privilege of the logged-in user

TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. There is a vulnerability in the Apple MacOS Classic emulator for MacOS X that may lead to elevation of privileges. This issue exists in TruBlueEnvironment, which is included in the emulator. The environment variable is used to define a location to output debugging information to a file. Exploitation of this issue may enable a malicious local user to gain elevated privileges by causing malicious files to be run through a facility such as cron. Overwriting critical system files may also cause a denial of service. TruBlueEnvironment is a tool included with the MacOS Classic Emulator, installed as setuid root by default. There is a problem with setting environment variables in TruBlueEnvironment. Local attackers can use this vulnerability to perform privilege escalation attacks through cron tools, or overwrite important system files to perform denial-of-service attacks. If the file exists, it will be set to zero bytes. If the file does not exist, it will be created with the umask permission of the calling process. Although the attacker cannot create a file with execution permission, the file created in this way can be read and written globally. In MacOS X, this vulnerability can be used to automatically create files through cron. By default, cron uses the periodic command for daily maintenance. This command will receive several files and pass them to the SHELL parser to run. Since these scripts are run with root user privileges running, so possibly privilege escalation by running cron and TruBluEnvironment

Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. This may result in the disclosure of sensitive information if data is intercepted. Further details about this issue are not known at this time. This BID will be updated as further information becomes available. Remote attackers can use this vulnerability to obtain administrator authentication information by intercepting communication data. No detailed vulnerability details have been obtained so far

Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts false ICMP redirect messages, which allows remote attackers to cause a denial of service (network routing modification). It has been reported that it is possible to make arbitrary remote modifications to the Cisco IOS routing table. ICMP redirect messages are normally sent to indicate inefficient routing, a new route or a routing change. An attacker may specify a default gateway on the local network that does not exist, thus denying service to the affected router for traffic destined to any location outside the local subnet. Internet Operating System (IOS) is an operating system used on CISCO routers. Another possibility is to advertise that the gateway is on a completely different subnet. If a device proxyes ARP requests for this fake gateway, all communications destined for external subnets will be forwarded to the fake gateway. And if there is no device acting as an ARP request agent for the fake gateway, the information described in the first case will be blocked. A final possibility is for a malicious user to insert the default gateway as the IP address of the attacker's machine, which could lead to interception of all communications

The web administration page for the Ericsson HM220dp ADSL modem does not require authentication, which could allow remote attackers to gain access from the LAN side. This interface does not require any authentication in order to access. There is no option to enable any authentication requirement. Ericsson HM220dp is a small office environment ADSL MODEM

Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter. Netgear FM114P is a wireless network router that includes a firewall function.  Netgear FM114P wireless firewall lacks proper filtering of web requests submitted by users.  Netgear FM114P's WEB configuration interface lacks sufficient filtering for user-submitted requests. Attackers can submit malicious URL requests to break through the / upnp / service directory limit. Unauthorized access to router configuration files. Configuration files contain dial-up passwords, dynamic DNS configuration passwords, and router configurations. Options, etc. Attackers can use this information to conduct further attacks on routers. Netgear FM114P Wireless Firewalls allow directory traversal using escaped character sequences. It is possible for an unauthenticated user to retrieve the firewall's configuration file by escaping from the /upnp/service directory

Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. It has been reported that under some circumstances, eSafe Gateway does not properly scan messages in transit. This problem occurs when data is passed to eSafe via a Check Point OPSEC CVP compliant firewall. Because of this, malicious code may be able to circumvent the filters imposed by the software and enter, or exit the network. This could lead to further compromise of network resources. A remote attacker can exploit this vulnerability to bypass virus filtering. When Checkpoint installed with Feature Pack 3 receives more than 2M files, the scanning program will be unstable during CVP inspection. For example, if the SMTP message exceeds 2MB, FW-1 will perform the following operations: 1. Put the information into the buffer pool. 2. Send data to the CVP server. 3. It will stop when sending 1MB or nearly 2MB of data. 4. Sending will resume after 5 minutes. 5. The CVP server allows data to be placed in spool\d_resend and enters a loop operation until the information is marked as expired

Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site

The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. The attacker may exploit this issue to steal cookie-based authentication credentials and carry out other attacks. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This update provides a solution to this vulnerability. Update: The wrong package was uploaded for 2009.1. This update addresses that problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823 http://www.kb.cert.org/vuls/id/867593 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.1: d20085bdf2db6c017ae2bbd1e66b95a3 2009.1/i586/apache-conf-2.2.11-5.1mdv2009.1.i586.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 3621be7e9f192f73f0c0435891d5ee1e 2009.1/x86_64/apache-conf-2.2.11-5.1mdv2009.1.x86_64.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLRcf1mqjQ0CJFipgRAu1hAKD028okjckw8ACr/FJhfKYKLYaWKACfYIQK uxRECffkMfmnBqa56GkQhAA= =MP9m -----END PGP SIGNATURE----- . Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. RFC 2616 According to TRACE Supports methods Web The server is set in the browser Cookie A vulnerability exists in which information is obtained.Set in browser Cookie Authentication information derived from (Basic Authentication: base64 Contains encoded user information ) May get you. Sun Solaris Management Console is prone to an information-disclosure vulnerability. The attacker may exploit this issue along with other attacks, such as cross-site scripting, to steal cookie-based authentication credentials. TITLE: Sun Solaris HTTP TRACE Response Cross-Site Scripting Issue SECUNIA ADVISORY ID: SA17334 VERIFY ADVISORY: http://secunia.com/advisories/17334/ CRITICAL: Not critical IMPACT: Cross Site Scripting WHERE: >From local network OPERATING SYSTEM: Sun Solaris 10 http://secunia.com/product/4813/ Sun Solaris 8 http://secunia.com/product/94/ Sun Solaris 9 http://secunia.com/product/95/ DESCRIPTION: Sun has acknowledged a security issue in Solaris, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when combined with certain browser vulnerabilities. It is reportedly not possible to disable the TRACE method. The security issue has been reported in Solaris 8, 9 and 10 on both SPARC and x86 platforms. SOLUTION: Apply patches when available. The vendor recommends that the SMC may be disabled as a workaround. -- SPARC Platform -- Solaris 9: Apply patch 116807-02 or later. -- x86 Platform -- Solaris 9: Apply patch 116808-02 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------