Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18233
HistoryOct 20, 2007 - 12:00 a.m.

Nortel IP Phone forced re-authentication

2007-10-2000:00:00
vulners.com
50
JSON

#############################################################

COMPASS SECURITY ADVISORY http://www.csnc.ch/

#############################################################

Product: IP Phone

Vendor: Nortel

Subject: IP Phone forced re-authentication

Risk: High

Effect: Currently exploitable

Author: Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

Date: October, 18th 2007

#############################################################

Introduction:

The UNIStim signalisation protocol is vulnerable against spoofed re-authentication messages. A
malicious user can send spoofed registration messages to the server to which a UNIStim IP phone is
connected. This can force the legitimate IP phone into a situation where it must re-register
with the server to maintain service. A continuous stream of these messages prevents the IP phone from
properly registering.

Nortel has noted this as:
Title: DoS Potential Vulnerability - UNIStim IP Phone Forced to Re-register
Number: 2007008385
http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY

Vulnerable:

Nortel IP Phone 1140E
IP Softphone 2050
and others.

See associated products on the Nortel advisory.

Vulnerability Management:

June 2007: Vulnerability found
June 2007: Nortel Security notified
October 2007: Nortel Advisory & Patches available
October 2007: Compass Security Information

Remediation:

Follow the recommended actions for the affected systems, as identified in the Nortel Advisory.

Technical Description:

A malicious user can send a resume message to the signaling server to which an IP phone is connected.
The resume message is a UNIStim UDP datagram. In order for the signaling server to detect which IP
phone wants to resume the
connection it reads the source IP address from the UDP datagram to identify the client. That means we
can send a spoofed resume UNIStim UDP datagram.

The server sends the new sequence number back to the IP phone. However, because we spoofed the above
message, we don't see the response. The effect is that, the IP phone is out of sync with the server.
During this time, the IP phone can not take on or make any calls. As soon as the IP phone realizes
that it is out of sync (watchdog timeout
expired) it will re-authenticate against the signaling server. Note that if the malicious user
continues to send spoofed resume messages
the hard phone will not be able to go online.

Reference:
http://www.csnc.ch/static/advisory/secadvisorylist.html

JSON