FW: CERT Advisory CA-2003-06 Multiple vulnerabilities in SIP

implementations of the

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0xD9513B39
*** Signed: 2/21/2003 10:19:02 AM
*** Verified: 2/21/2003 1:09:03 PM

CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)

   Original release date: February 21, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   SIP-enabled products from a wide variety of vendors are affected.
   Other systems making use of SIP may also be vulnerable but were not
   specifically tested. Not all SIP implementations are affected. See
   Vendor Information for details from vendors who have provided feedback
   for this advisory.

   In addition to the vendors who provided feedback for this advisory, a
   list of vendors whom CERT/CC contacted regarding these problems is
   available from VU#528719.


   Numerous vulnerabilities have been reported in multiple vendors'
   implementations of the Session Initiation Protocol. These
   vulnerabilities may allow an attacker to gain unauthorized privileged
   access, cause denial-of-service attacks, or cause unstable system
   behavior. If your site uses SIP-enabled products in any capacity, the
   CERT/CC encourages you to read this advisory and follow the advice
   provided in the Solution section below.

I. Description

   The Session Initiation Protocol (SIP) is a developing and newly
   deployed protocol that is commonly used in Voice over IP (VoIP),
   Internet telephony, instant messaging, and various other applications.
   SIP is a text-based protocol for initiating communication and data
   sessions between users.

   The Oulu University Secure Programming Group (OUSPG) previously
   conducted research into vulnerabilities in LDAP, culminating in CERT
   Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.

   OUSPG's most recent research focused on a subset of SIP related to the
   INVITE message, which SIP agents and proxies are required to accept in
   order to set up sessions. By applying the PROTOS c07-sip test suite to
   a variety of popular SIP-enabled products, the OUSPG discovered
   impacts ranging from unexpected system behavior and denial of services
   to remote code execution. Note that "throttling" is an expected

   Specifications for the Session Initiation Protocol are available in


   OUSPG has established the following site with detailed documentation
   regarding SIP and the implementation test results from the test suite:


   The IETF Charter page for SIP is available at


II. Impact

   Exploitation of these vulnerabilities may result in denial-of-service
   conditions, service interruptions, and in some cases may allow an
   attacker to gain unauthorized access to the affected device. Specific
   impacts will vary from product to product.

III. Solution

   Many of the mitigation steps recommended below may have significant
   impact on your everyday network operations and/or network
   architecture. Ensure that any changes made based on the following
   recommendations will not unacceptably affect your ongoing network
   operations capability.

  Apply a patch from your vendor

     Appendix A contains information provided by vendors for this
     advisory. Please consult this appendix and VU#528719 to determine
     if your product is vulnerable. If a statement is unavailable, you
     may need to contact your vendor directly.

  Disable the SIP-enabled devices and services

     As a general rule, the CERT/CC recommends disabling any service or
     capability that is not explicitly required. Some of the affected
     products may rely on SIP to be functional. You should carefully
     consider the impact of blocking services that you may be using.

  Ingress filtering

     As a temporary measure, it may be possible to limit the scope of
     these vulnerabilities by blocking access to SIP devices and
     services at the network perimeter.

     Ingress filtering manages the flow of traffic as it enters a
     network under your administrative control. Servers are typically
     the only machines that need to accept inbound traffic from the
     public Internet. Note that most SIP User Agents (including IP
     phones or "clien"t software) consist of a User Agent Client and a
     User Agent Server. In the network usage policy of many sites, there
     are few reasons for external hosts to initiate inbound traffic to
     machines that provide no public services. Thus, ingress filtering
     should be performed at the border to prohibit externally initiated
     inbound traffic to non-authorized services. For SIP, ingress
     filtering of the following ports can prevent attackers outside of
     your network from accessing vulnerable devices in the local network
     that are not explicitly authorized to provide public SIP services:

     sip 5060/udp # Session Initiation Protocol (SIP)
     sip 5060/tcp # Session Initiation Protocol (SIP)
     sip 5061/tcp # Session Initiation Protocol (SIP) over TLS

     Careful consideration should be given to addresses of the types
     mentioned above by sites planning for packet filtering as part of
     their mitigation strategy for these vulnerabilities.

     Please note that this workaround may not protect vulnerable devices
     from internal attacks.

  Egress filtering

     Egress filtering manages the flow of traffic as it leaves a network
     under your administrative control. There is typically limited need
     for machines providing public services to initiate outbound traffic
     to the Internet. In the case of the SIP vulnerabilities, employing
     egress filtering on the ports listed above at your network border
     may prevent your network from being used as a source for attacks on
     other sites.

  Block SIP requests directed to broadcast addresses at your router.

     Since SIP requests can be transmitted via UDP, broadcast attacks
     are possible. One solution to prevent your site from being used as
     an intermediary in an attack is to block SIP requests directed to
     broadcast addresses at your router.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. As vendors report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their

  America Online Inc

     Not vulnerable.

  Apple Computer Inc.

     There are currently no applications shipped by Apple with Mac OS X
     or Mac OS X Server which make use of the Session Initiation


     No BorderWare products make use of SIP and thus no BorderWare
     products are affected by this vulnerability.


     No Clavister products currently incorporate support for the SIP
     protocol suite, and as such, are not vulnerable.
     We would however like to extend our thanks to the OUSPG for their
     work as well as for the responsible manner in which they handle
     their discoveries. Their detailed reports and test suites are
     certainly well-received.
     We would also like to reiterate the fact that SIP has yet to
     mature, protocol-wise as well as implementation-wise. We do not
     recommend that our customers set up SIP relays in parallel to our
     firewall products to pass SIP-based applications in or out of
     networks where security is a concern of note.

  F5 Networks

     F5 Networks does not have a SIP server product, and is therefore
     not affected by this vulnerability.


     With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
     because the relevant function is not supported under UXP/V.


     SIP is not implemented as part of the AIX operating system.

  IP Filter

     IPFilter does not do any SIP specific protocol handling and is
     therefore not affected by the issues mentioned in the paper cited.


     All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
     to the OUSPG test suite. We strongly advice to upgrade to version
     0.8.10. Please also apply the patch to version 0.8.10 from
     before installation and keep on watching this site in the future.
     We apologize to our users for the trouble.

  Hewlett-Packard Company

     Hewlett-Packard Company
     Software Security Response Team
     cross reference id: SSRT2402

     HP-UX - not vulnerable
     HP-MPE/ix - not vulnerable
     HP Tru64 UNIX - not vulnerable
     HP OpenVMS - not vulnerable
     HP NonStop Servers - not vulnerable

     To report potential security vulnerabilities in HP software, send
     an E-mail message to: mailto:security-alert@hp.com


     No Lucent products are known to be affected by this vulnerability,
     however we are still researching the issue and will update this
     statement as needed.

  Microsoft Corporation

     Microsoft has investigated these issues. The Microsoft SIP client
     implementation is not affected.

  NEC Corporation