[ISN] SIP weakness could expose VoIP gear to attacks

(forwarded from ISN)


By Phil Hochmuth
Network World Fusion

A glitch in some vendors' Session Initiation Protocol (SIP) software
could leave SIP-enabled devices - such as IP phones, IP PBXs and
instant messaging clients - vulnerable to denial-of-service attacks,
the CERT Coordination Center said last week.

The Oulu University Secure Programming Group (OUSPG) discovered that
when a certain SIP test suite (PROTOS c07-sip) is applied to SIP
clients devices or proxy servers, it caused "impacts ranging from
unexpected system behavior and denial of services to remote code
execution," according to the CERT warning.

The vulnerably relates to the "invite" messages SIP devices send to
each other to initiate sessions such as VoIP calls, text chat or

SIP is an emerging VoIP protocol used to establish sessions among SIP
"agents," such as IP phones, softphones, text chat clients, and video
applications. Industry observers have called text-based SIP the
successor to the H.323 protocol, used widely in IP-based telephony and
videoconferencing equipment. Vendors with IP PBX and phone products
that use SIP include Alcatel, Avaya, Cisco, Mitel, Nortel, Pingtel,
Ploycom, and Siemens. Microsoft Windows Messenger - a Web telephony,
chat and video client included in Windows XP - also uses SIP.

According to CERT and Cisco's Web site, Cisco's 7940 and 7960 models
of IP phones running SIP images prior to version 4.2 are vulnerable,
as well as Cisco routers running Cisco IOS 12.2T and 12.2X. PIX
firewalls running software versions with SIP support - beginning with
version 5.2(1) and up to, but not including versions 6.2(2), 6.1(4),
6.0(4) and 5.2(9) - are also affected, Cisco says. Fixes to these
products are available from Cisco's Web site.

Microsoft says its SIP-based software is not affected by the

Nortel says its Succession Communication Server 2000 and Succession
Communication Server 2000 - Compact are affected by the vulnerability
only when SIP-T has been enabled on the IP PBX products. Patches for
these products are available at Nortel's Web site.

Other vendors with SIP-based products have not posted comments on the
CERT Coordination Center Web site.