SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#726548

Voice mail systems allow administrative access based on Caller ID

Overview

Certain voice mail systems trust Calling Number Identification (CNID, Caller ID) to authenticate administrative access to voice mail accounts. Caller ID can be easily spoofed, allowing an attacker to gain control over a vulnerable voice mailbox.

I. Description

Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. If the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and the call is routed to the voice mailbox with administrative privileges. The party originating the call can then listen to and delete messages, modify the greeting, and perform other administrative functions. Some systems ring the phone first, others do not.

Caller ID can be readily spoofed using freely available PBX software and a H.323/VOIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication.

Depending on available product features and default configurations, voice mail service providers may or may not have the option to use Caller ID to authenticate administrative access to voice mail accounts. There are two groups represented in the Systems Affected section of this document: voice mail product/system vendors and voice mail service providers. A vendor is noted as "Not Vulnerable" if their products do not allow Caller ID to be used for authentication by default or do not allow it at all. A service provider is noted as "Not Vulnerable" if their voice mail services do not rely on Caller ID for authentication.

II. Impact

An attacker can gain administrative access to a voice mailbox. Depending on the system, the attacker could listen to and delete messages, change the greeting message, or make other modifications. By changing the greeting message, an attacker may be able to charge calls to an account with a vulnerable voice mail system:

Any system that relies solely on caller ID for authentication may be vulnerable to impersonation or spoofing attacks.

III. Solution

Require password authentication

If possible, configure voice mail systems to require a password/PIN to authenticate access to administrative account functions. A unique default password should be assigned to each voice mail account.

Systems Affected

VendorStatusDate Updated
3ComUnknown30-May-2003
AlcatelUnknown30-May-2003
Allied TelesisUnknown31-Jan-2007
AT&TUnknown30-May-2003
AvayaNot Vulnerable24-Jun-2003
Cable and WirelessNot Vulnerable30-May-2003
Cisco Systems, Inc.Unknown2-Jun-2003
Hewlett-Packard CompanyUnknown2-Jun-2003
IBM CorporationUnknown30-May-2003
Lucent TechnologiesVulnerable7-Aug-2003
MCIUnknown8-Aug-2003
Mediatrix Telecom IncNot Vulnerable2-Jul-2003
MetaSwitchUnknown31-Jan-2007
MitelNot Vulnerable30-May-2003
MotorolaUnknown30-May-2003
NetIQUnknown31-Jan-2007
NokiaUnknown30-May-2003
Nortel Networks, Inc.Vulnerable15-Jul-2003
PingtelNot Vulnerable5-Jun-2003
PolycomUnknown31-Jan-2007
QwestUnknown8-Aug-2003
RAD Data CommunicationsUnknown31-Jan-2007
SBCUnknown8-Aug-2003
Shoreline CommunicationNot Vulnerable23-Jun-2003
SiemensUnknown4-Jun-2003
SphereUnknown31-Jan-2007
SprintVulnerable30-May-2003
StarVoxUnknown31-Jan-2007
T-MobileVulnerable30-May-2003

References


http://www.cpsr.org/program/caller-id/caller-id.html
http://www.eff.org/Privacy/Caller_ID/
http://www.wired.com/news/infostructure/0,1377,58517,00.html
http://www.securityfocus.com/news/6158
http://www.securityfocus.com/news/9061
http://www.securityfocus.com/news/9419

Credit

This vulnerability was reported by Gus Bourg.

This document was written by Art Manion.

Other Information

Date Public01/30/2007
Date First Published01/30/2007 04:22:48 PM
Date Last Updated03/30/2007
CERT Advisory 
CVE-ID(s) 
NVD-ID(s) 
US-CERT Technical Alerts 
Metric9.22
Document Revision29

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader