Vulnerability Note VU#528719
Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities
Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices.
The Oulu University Secure Programming Group (OUSPG) has discovered a variety of vulnerabilities in multiple implementations of the Session Initiation Protocol (SIP). OUSPG has previously conducted research into vulnerabilities in various protocol implementations, including LDAP, culminating in CERT Advisory CA-2001-18 and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG has again asked us to coordinate with them in letting affected vendors know of their findings.
The Session Initiation Protocol (SIP) is a signaling protocol for various instant messaging, Voice Over Internet Protocol (VoIP), and other telephony applications. OUSPG has focused on a subset of SIP as the subject protocol for vulnerability assessment. Information about SIP can be found on the IETF Charter page for SIP. OUSPG is has released the results of their investigations to the public. More details may be found in CERT Advisory CA-2003-06.
Impacts range from unexpected system behavior and denial of service to execution of arbitrary code.
Upgrade or apply the patches as specified by your vendor.
Vulnerable applications supporting the Session Initiation Protocol (SIP) may have access blocked at a network perimeter on ports 5060/tcp and 5060/udp.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Alcatel||Affected||30 Oct 2002||06 Mar 2003|
|Cirpack||Affected||-||13 Mar 2003|
|Cisco Systems, Inc.||Affected||30 Oct 2002||21 Feb 2003|
|Columbia SIP User Agent (sipc)||Affected||-||25 Feb 2003|
|DynamicSoft Inc||Affected||26 Nov 2002||27 Feb 2003|
|Ingate Systems||Affected||-||07 Mar 2003|
|IPTel||Affected||30 Oct 2002||20 Feb 2003|
|Mediatrix Telecom Inc||Affected||-||09 May 2003|
|Nortel Networks, Inc.||Affected||30 Oct 2002||24 Jul 2003|
|Pingtel||Affected||30 Oct 2002||24 Mar 2003|
|AOL Time Warner||Not Affected||30 Oct 2002||25 Mar 2003|
|Apple Computer, Inc.||Not Affected||30 Oct 2002||17 Feb 2003|
|Avaya||Not Affected||30 Oct 2002||25 Feb 2003|
|Borderware||Not Affected||30 Oct 2002||17 Feb 2003|
|Check Point||Not Affected||30 Oct 2002||06 Mar 2003|
CVSS Metrics (Learn More)
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities, for providing detailed technical analyses, and for assisting us in preparing this advisory. We would also like to acknowlede the "RedSkins" project of "MediaTeam Oulu" for their support of this research.
This document was originally written by Jason A Rafail. Revisions were made by Jeffrey S. Havrilla.
- CVE IDs: CVE-2003-1108
- CERT Advisory: CA-2003-06
- Date Public: 21 Feb 2003
- Date First Published: 21 Feb 2003
- Date Last Updated: 21 May 2007
- Severity Metric: 17.72
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.