Certain voice mail systems trust Calling Number Identification (CNID, Caller ID) to authenticate administrative access to voice mail accounts. Caller ID can be easily spoofed, allowing an attacker to gain control over a vulnerable voice mailbox.
Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. If the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and the call is routed to the voice mailbox with administrative privileges. The party originating the call can then listen to and delete messages, modify the greeting, and perform other administrative functions. Some systems ring the phone first, others do not.
Caller ID can be readily spoofed using freely available PBX software and a H.323/VOIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication.
An attacker can gain administrative access to a voice mailbox. Depending on the system, the attacker could listen to and delete messages, change the greeting message, or make other modifications. By changing the greeting message, an attacker may be able to charge calls to an account with a vulnerable voice mail system:
Require password authentication
Lucent Technologies Affected
Nortel Networks, Inc. Affected
Avaya Not Affected
Cable and Wireless Not Affected
Mediatrix Telecom Inc Not Affected
Mitel Not Affected
Pingtel Not Affected
Shoreline Communication Not Affected
Allied Telesis Unknown
Cisco Systems, Inc. Unknown
Hewlett-Packard Company Unknown
IBM Corporation Unknown
RAD Data Communications Unknown
This vulnerability was reported by Gus Bourg.
This document was written by Art Manion.
|Date First Published:||2007-01-30|
|Date Last Updated:||2007-03-30 19:49 UTC|