Vulnerability Note VU#528719

Overview

Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices.

Description

The Oulu University Secure Programming Group (OUSPG) has discovered a variety of vulnerabilities in multiple implementations of the Session Initiation Protocol (SIP). OUSPG has previously conducted research into vulnerabilities in various protocol implementations, including LDAP, culminating in CERT Advisory CA-2001-18 and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG has again asked us to coordinate with them in letting affected vendors know of their findings. The Session Initiation Protocol (SIP) is a signaling protocol for various instant messaging, Voice Over Internet Protocol (VoIP), and other telephony applications. OUSPG has focused on a subset of SIP as the subject protocol for vulnerability assessment. Information about SIP can be found on the IETF Charter page for SIP. OUSPG is has released the results of their investigations to the public. More details may be found in CERT Advisory CA-2003-06.

Impact

Impacts range from unexpected system behavior and denial of service to execution of arbitrary code.

Solution

Upgrade or apply the patches as specified by your vendor.

Vulnerable applications supporting the Session Initiation Protocol (SIP) may have access blocked at a network perimeter on ports 5060/tcp and 5060/udp.

Systems Affected (Learn More)

Vendor	Status	Date Notified	Date Updated
Alcatel	Affected	30 Oct 2002	06 Mar 2003
Cirpack	Affected	-	13 Mar 2003
Cisco Systems, Inc.	Affected	30 Oct 2002	21 Feb 2003
Columbia SIP User Agent (sipc)	Affected	-	25 Feb 2003
DynamicSoft Inc	Affected	26 Nov 2002	27 Feb 2003
Ingate Systems	Affected	-	07 Mar 2003
IPTel	Affected	30 Oct 2002	20 Feb 2003
Mediatrix Telecom Inc	Affected	-	09 May 2003
Nortel Networks, Inc.	Affected	30 Oct 2002	24 Jul 2003
Pingtel	Affected	30 Oct 2002	24 Mar 2003
AOL Time Warner	Not Affected	30 Oct 2002	25 Mar 2003
Apple Computer, Inc.	Not Affected	30 Oct 2002	17 Feb 2003
Avaya	Not Affected	30 Oct 2002	25 Feb 2003
Borderware	Not Affected	30 Oct 2002	17 Feb 2003
Check Point	Not Affected	30 Oct 2002	06 Mar 2003

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	N/A	N/A
Temporal	N/A	N/A
Environmental	N/A	N/A

References

• http://www.ee.oulu.fi/research/ouspg/protos/
• http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
• http://www.mediateam.oulu.fi/projects/redskins/?lang=en
• http://www.ietf.org/html.charters/sip-charter.html
• http://www.ietf.org/internet-drafts/draft-ietf-sipping-torture-tests-07.txt
• http://www.ietf.org/rfc/rfc3665.txt
• http://www.ietf.org/rfc/rfc3261.txt
• http://www.ietf.org/rfc/rfc2327.txt
• http://www.ietf.org/rfc/rfc2279.txt

Credit

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities, for providing detailed technical analyses, and for assisting us in preparing this advisory. We would also like to acknowlede the "RedSkins" project of "MediaTeam Oulu" for their support of this research.

This document was originally written by Jason A Rafail. Revisions were made by Jeffrey S. Havrilla.

Other Information

• CVE IDs: CVE-2003-1108
• CERT Advisory: CA-2003-06
• Date Public: 21 Feb 2003
• Date First Published: 21 Feb 2003
• Date Last Updated: 21 May 2007
• Severity Metric: 17.72
• Document Revision: 36