IP-телефония покушается на корпоративную связь

CERT Advisory CA-2003-06
Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP)

Original release date: February 21, 2003

Systems Affected

     SIP-enabled products from a wide variety of vendors are affected. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory

     In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719

Overview

     Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below

I. Description

     The Session Initiation Protocol (SIP) is a developing and newly deployed protocol that is commonly used in Voice over IP (VoIP), Internet telephony, instant messaging, and various other applications. SIP is a text-based protocol for initiating communication and data sessions between users

     The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03

     OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying the PROTOS c07-sip test suite to a variety of popular SIP-enabled products, the OUSPG discovered impacts ranging from unexpected system behavior and denial of services to remote code execution. Note that "throttling" is an expected behavior

     Specifications for the Session Initiation Protocol are available in RFC3261

     OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip

     The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html

II. Impact

     Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product

III. Solution

     Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly

Disable the SIP-enabled devices and services

As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using

Ingress filtering

As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SIP, ingress filtering of the following ports can prevent attackers outside of your network from accessing vulnerable devices in the local network that are not explicitly authorized to provide public SIP services:

sip 5060/udp # Session Initiation Protocol (SIP)
sip 5060/tcp # Session Initiation Protocol (SIP)
sip 5061/tcp # Session Initiation Protocol (SIP) over TLS

Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities

Please note that this workaround may not protect vulnerable devices from internal attacks

Egress filtering

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites

Block SIP requests directed to broadcast addresses at your router.

Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router

Appendix A. - Vendor Information

America Online Inc.

     Not vulnerable

Apple Computer Inc.

     There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol

Borderware

     No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability

Clavister

     No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note

F5 Networks

     F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability

Fujitsu

     With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V.

IBM

     SIP is not implemented as part of the AIX operating system

IP Filter

     IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited

IPTel

     All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security before installation and keep on watching this site in the future. We apologize to our users for the trouble

Hewlett-Packard Company

Source:
Hewlett-Packard Company
Software Security Response Team cross reference id: SSRT2402

     HP-UX - not vulnerable
     HP-MPE/ix - not vulnerable
     HP Tru64 UNIX - not vulnerable
     HP OpenVMS - not vulnerable
     HP NonStop Servers - not vulnerable

     To report potential security vulnerabilities in HP software, send an E-mail message to security-alert@hp.com

Lucent

     No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed

Microsoft Corporation

     Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected

NEC Corporation

Server Products
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP

Router Products
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.

Other Network products
* We continue to check our products which support SIP protocol.

NETBSD

     NetBSD does not ship any implementation of SIP

NETfilter.org

     As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug

NetScreen

     NetScreen is not vulnerable to this issue.

Network Appliance

     NetApp products are not affected by this vulnerability.

Nokia

     Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability

Nortel Networks

     Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol (SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite:

Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February

For further information about Nortel Networks products please contact Nortel Networks Global Network Support

Novell

     Novell has no products implementing SIP.

Secure Computing Corporation

     Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability

SecureWorx

     We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500

Stonesoft

     Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable

Symantec

     Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products

Xerox

     Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available

Appendix B. - References

  1. http://www.ee.oulu.fi/research/ouspg/protos
  2. http://www.kb.cert.org/vuls/id/528719
  3. http://www.cert.org/tech_tips/denial_of_service.html
  4. http://www.ietf.org/html.charters/sip-charter.html
  5. RFC3261 - SIP: Session Initiation Protocol
  6. RFC2327 - SDP: Session Description Protocol
  7. RFC2279 - UTF-8, a transformation format of ISO 10646
  8. Session Initiation Protocol Basic Call Flow Examples
  9. Session Initiation Protocol Torture Test Messages, Draft
This document is available from Web
Сайт управляется системой uCoz