#############################################################
#############################################################
#############################################################
A malicious user who can send spoofed packets to an IP phone is able to freeze it. A potential victim
does not recognize that his IP phone is offline until he tries to use it. Signs which make it obvious
for the victim that his IP phone is not working are that he does not here a line peep sound when
trying to make a call or that the LCD display is not updated.
The attack uses valid UNIStim "Mute / UnMute" messages which are sent to the IP phone with a spoofed
server source address.
Nortel has noted this as:
Title: Potential DoS Vulnerability - IP Phone Freeze to Offline State
Number: 2007008386
http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY
Nortel IP Phone 1140E
IP Softphone 2050
and others.
See associated products on the Nortel advisory.
June 2007: Vulnerability found
June 2007: Nortel Security notified
October 2007: Nortel Advisory available
October 2007: Compass Security Information
Follow the recommended actions for the affected systems, as identified in the Nortel Advisory.
Flooding an IP phone with valid UNIStim messages freezes the IP phone. The IP phone needs to be
rebooted by pulling the power cord in order to work again.
The proof-of-concept code uses "Mute / UnMute" UNIStim messages. The ID number is increased
sequentially from 1 to 65535. After the packets have been sent, the phone is frozen and cannot be
used. The phone does not ring if it's number is called and the LCD display is not updated.
Reference:
http://www.csnc.ch/static/advisory/secadvisorylist.html