Vulnerability Note VU#528719

Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities

Original Release date: 21 Feb 2003 | Last revised: 21 May 2007

Overview

Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices.

Description

The Oulu University Secure Programming Group (OUSPG) has discovered a variety of vulnerabilities in multiple implementations of the Session Initiation Protocol (SIP). OUSPG has previously conducted research into vulnerabilities in various protocol implementations, including LDAP, culminating in CERT Advisory CA-2001-18 and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG has again asked us to coordinate with them in letting affected vendors know of their findings.

The Session Initiation Protocol (SIP) is a signaling protocol for various instant messaging, Voice Over Internet Protocol (VoIP), and other telephony applications. OUSPG has focused on a subset of SIP as the subject protocol for vulnerability assessment. Information about SIP can be found on the IETF Charter page for SIP. OUSPG is has released the results of their investigations to the public. More details may be found in CERT Advisory CA-2003-06.

Impact

Impacts range from unexpected system behavior and denial of service to execution of arbitrary code.

Solution

Upgrade or apply the patches as specified by your vendor.

Vulnerable applications supporting the Session Initiation Protocol (SIP) may have access blocked at a network perimeter on ports 5060/tcp and 5060/udp.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AlcatelAffected30 Oct 200206 Mar 2003
CirpackAffected-13 Mar 2003
Cisco Systems, Inc.Affected30 Oct 200221 Feb 2003
Columbia SIP User Agent (sipc)Affected-25 Feb 2003
DynamicSoft IncAffected26 Nov 200227 Feb 2003
Ingate SystemsAffected-07 Mar 2003
IPTelAffected30 Oct 200220 Feb 2003
Mediatrix Telecom IncAffected-09 May 2003
Nortel Networks, Inc.Affected30 Oct 200224 Jul 2003
PingtelAffected30 Oct 200224 Mar 2003
AOL Time WarnerNot Affected30 Oct 200225 Mar 2003
Apple Computer, Inc.Not Affected30 Oct 200217 Feb 2003
AvayaNot Affected30 Oct 200225 Feb 2003
BorderwareNot Affected30 Oct 200217 Feb 2003
Check PointNot Affected30 Oct 200206 Mar 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities, for providing detailed technical analyses, and for assisting us in preparing this advisory. We would also like to acknowlede the "RedSkins" project of "MediaTeam Oulu" for their support of this research.

This document was originally written by Jason A Rafail. Revisions were made by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CVE-2003-1108
  • CERT Advisory: CA-2003-06
  • Date Public: 21 Feb 2003
  • Date First Published: 21 Feb 2003
  • Date Last Updated: 21 May 2007
  • Severity Metric: 17.72
  • Document Revision: 36

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.