SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#528719

Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities

Overview

Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices.

I. Description

The Oulu University Secure Programming Group (OUSPG) has discovered a variety of vulnerabilities in multiple implementations of the Session Initiation Protocol (SIP). OUSPG has previously conducted research into vulnerabilities in various protocol implementations, including LDAP, culminating in CERT Advisory CA-2001-18 and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG has again asked us to coordinate with them in letting affected vendors know of their findings.

The Session Initiation Protocol (SIP) is a signaling protocol for various instant messaging, Voice Over Internet Protocol (VoIP), and other telephony applications. OUSPG has focused on a subset of SIP as the subject protocol for vulnerability assessment. Information about SIP can be found on the IETF Charter page for SIP. OUSPG is has released the results of their investigations to the public. More details may be found in CERT Advisory CA-2003-06.

II. Impact

Impacts range from unexpected system behavior and denial of service to execution of arbitrary code.

III. Solution

Upgrade or apply the patches as specified by your vendor.

Vulnerable applications supporting the Session Initiation Protocol (SIP) may have access blocked at a network perimeter on ports 5060/tcp and 5060/udp.

Systems Affected

VendorStatusDate Updated
3ComUnknown17-Feb-2003
AlcatelVulnerable6-Mar-2003
AOL Time WarnerNot Vulnerable25-Mar-2003
Apple Computer, Inc.Not Vulnerable17-Feb-2003
AT&TUnknown17-Feb-2003
AvayaNot Vulnerable25-Feb-2003
Avici Systems Inc.Unknown20-Feb-2003
Berkeley Software Design, Inc.Unknown17-Feb-2003
BorderwareNot Vulnerable17-Feb-2003
Cable and WirlessUnknown20-Feb-2003
Check PointNot Vulnerable6-Mar-2003
CirpackVulnerable13-Mar-2003
Cisco Systems, Inc.Vulnerable21-Feb-2003
ClavisterNot Vulnerable17-Feb-2003
Columbia SIP User Agent (sipc)Vulnerable25-Feb-2003
Compaq Computer CorporationUnknown21-Feb-2003
Computer AssociatesUnknown17-Feb-2003
COVERT LabsUnknown17-Feb-2003
Cray Inc.Unknown17-Feb-2003
D-Link SystemsUnknown17-Feb-2003
Data GeneralUnknown17-Feb-2003
Debian LinuxUnknown17-Feb-2003
DynamicSoft IncVulnerable27-Feb-2003
EngardeUnknown17-Feb-2003
eSoftNot Vulnerable17-Feb-2003
EZonicsUnknown17-Feb-2003
F5 Networks, Inc.Not Vulnerable20-Feb-2003
Foundry Networks Inc.Not Vulnerable25-Mar-2003
FreeBSD, Inc.Unknown17-Feb-2003
FujitsuNot Vulnerable17-Feb-2003
Global Technology AssociatesUnknown17-Feb-2003
Hewlett-Packard CompanyNot Vulnerable20-Feb-2003
Hotsip ABNot Vulnerable12-Mar-2003
Hughes Software SystemsNot Vulnerable18-Apr-2003
IBM-zSeriesUnknown24-Feb-2003
IBM CorporationNot Vulnerable21-Feb-2003
Indigo SoftwareNot Vulnerable1-Apr-2003
Ingate SystemsVulnerable7-Mar-2003
IntelUnknown17-Feb-2003
IntotoNot Vulnerable24-Mar-2003
IP FilterNot Vulnerable17-Feb-2003
IPTelVulnerable20-Feb-2003
Juniper Networks, Inc.Not Vulnerable21-Feb-2003
KphoneNot Vulnerable17-Feb-2003
LachmanUnknown17-Feb-2003
Lockheed MartinUnknown17-Feb-2003
Lotus SoftwareUnknown19-Feb-2003
Lucent TechnologiesUnknown20-Feb-2003
Mandriva, Inc.Unknown17-Feb-2003
Mandriva, Inc.Unknown17-Feb-2003
Mediatrix Telecom IncVulnerable9-May-2003
MeetingHouse Data CommunicationsUnknown17-Feb-2003
Microsoft CorporationNot Vulnerable20-Feb-2003
Mitel Networks, Inc.Not Vulnerable19-Sep-2005
MontaVista Software, Inc.Unknown17-Feb-2003
MotorolaUnknown17-Feb-2003
MySIPUnknown17-Feb-2003
NEC CorporationNot Vulnerable20-May-2003
NETBSDNot Vulnerable17-Feb-2003
NETfilter.orgNot Vulnerable17-Feb-2003
NetScreenNot Vulnerable21-Feb-2003
Network ApplianceNot Vulnerable18-Feb-2003
NeXTUnknown17-Feb-2003
NokiaNot Vulnerable20-Feb-2003
Nortel Networks, Inc.Vulnerable24-Jul-2003
Novell, Inc.Not Vulnerable20-Feb-2003
OpenBSDUnknown17-Feb-2003
Openwall GNU/*/LinuxUnknown17-Feb-2003
Oracle CorporationUnknown17-Feb-2003
PingtelVulnerable24-Mar-2003
Process SoftwareUnknown17-Feb-2003
Red Hat, Inc.Not Vulnerable19-Feb-2003
Secure Computing CorporationNot Vulnerable17-Feb-2003
SecureWorxNot Vulnerable17-Feb-2003
Sequent Computer Systems, Inc.Unknown17-Feb-2003
SGIUnknown17-Feb-2003
Shoreline CommunicationNot Vulnerable17-Feb-2003
SiemensUnknown17-Feb-2003
Sony CorporationUnknown17-Feb-2003
StonesoftNot Vulnerable17-Feb-2003
Sun Microsystems, Inc.Unknown17-Feb-2003
SUSE LinuxUnknown17-Feb-2003
Symantec CorporationNot Vulnerable1-Apr-2003
The SCO Group (SCO Linux)Unknown17-Feb-2003
The SCO Group (SCO Unix)Unknown18-Feb-2003
UnisysUnknown26-Mar-2003
University of ColumbiaUnknown17-Feb-2003
VegastreamUnknown17-Feb-2003
WatchGuardNot Vulnerable17-Feb-2003
Wind River Systems, Inc.Unknown17-Feb-2003
WirexUnknown17-Feb-2003
Xerox CorporationUnknown17-Feb-2003
YahooUnknown17-Feb-2003
ZYXELUnknown17-Feb-2003

References


http://www.ee.oulu.fi/research/ouspg/protos/
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
http://www.mediateam.oulu.fi/projects/redskins/?lang=en
http://www.ietf.org/html.charters/sip-charter.html
http://www.ietf.org/internet-drafts/draft-ietf-sipping-torture-tests-07.txt
http://www.ietf.org/rfc/rfc3665.txt
http://www.ietf.org/rfc/rfc3261.txt
http://www.ietf.org/rfc/rfc2327.txt
http://www.ietf.org/rfc/rfc2279.txt

Credit

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities, for providing detailed technical analyses, and for assisting us in preparing this advisory. We would also like to acknowlede the "RedSkins" project of "MediaTeam Oulu" for their support of this research.

This document was originally written by Jason A Rafail. Revisions were made by Jeffrey S. Havrilla.

Other Information

Date Public02/21/2003
Date First Published02/21/2003 10:13:19 AM
Date Last Updated05/21/2007
CERT AdvisoryCA-2003-06
CVE NameCVE-2003-1108
US-CERT Technical Alerts 
Metric17.72
Document Revision36

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader