search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Voice mail systems allow administrative access based on Caller ID

Vulnerability Note VU#726548

Original Release Date: 2007-01-30 | Last Revised: 2007-03-30

Overview

Certain voice mail systems trust Calling Number Identification (CNID, Caller ID) to authenticate administrative access to voice mail accounts. Caller ID can be easily spoofed, allowing an attacker to gain control over a vulnerable voice mailbox.

Description

Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. If the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and the call is routed to the voice mailbox with administrative privileges. The party originating the call can then listen to and delete messages, modify the greeting, and perform other administrative functions. Some systems ring the phone first, others do not.

Caller ID can be readily spoofed using freely available PBX software and a H.323/VOIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication.

Depending on available product features and default configurations, voice mail service providers may or may not have the option to use Caller ID to authenticate administrative access to voice mail accounts. There are two groups represented in the Systems Affected section of this document: voice mail product/system vendors and voice mail service providers. A vendor is noted as "Not Vulnerable" if their products do not allow Caller ID to be used for authentication by default or do not allow it at all. A service provider is noted as "Not Vulnerable" if their voice mail services do not rely on Caller ID for authentication.

Impact

An attacker can gain administrative access to a voice mailbox. Depending on the system, the attacker could listen to and delete messages, change the greeting message, or make other modifications. By changing the greeting message, an attacker may be able to charge calls to an account with a vulnerable voice mail system:

<http://www.wired.com/news/infostructure/0,1377,58517,00.html>

Any system that relies solely on caller ID for authentication may be vulnerable to impersonation or spoofing attacks.

Solution

Require password authentication
If possible, configure voice mail systems to require a password/PIN to authenticate access to administrative account functions. A unique default password should be assigned to each voice mail account.

Vendor Information

726548
 
Affected   Unknown   Unaffected

Lucent Technologies

Notified:  May 27, 2003 Updated:  August 07, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Notified:  May 28, 2003 Updated:  July 15, 2003

Status

  Vulnerable

Vendor Statement

Nortel Networks CallPilot and Meridian Mail voicemail systems do not generally authenticate by Caller ID but require a mailbox number + password to authenticate access to the mailbox. For additional security, users are forced to change the default password assigned to a newly created mailbox, the first time they logon. The only exception is where the auto logon feature is specifically configured by the administrator for a mailbox, in which case a user at the given Directory Number can access the corresponding mailbox without entering the mailbox number + password. Nortel Networks voicemail systems do not hard code or default to this behavior.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sprint

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

T-Mobile

Notified:  May 30, 2003 Updated:  May 30, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya

Notified:  May 28, 2003 Updated:  June 24, 2003

Status

  Not Vulnerable

Vendor Statement

Avaya voicemail systems are not vulnerable to attacks that use caller ID information to authenticate administrative access to voice mailboxes.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cable and Wireless

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mediatrix Telecom Inc

Notified:  June 05, 2003 Updated:  July 02, 2003

Status

  Not Vulnerable

Vendor Statement

Mediatrix Telecom, inc does not provide voice mail system, and is therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mitel

Notified:  May 29, 2003 Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

Not vulnerable. A PIN is always required for administrative voicemail access and configuration. The default configuration requires a PIN for user mailbox access.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pingtel

Notified:  May 28, 2003 Updated:  June 05, 2003

Status

  Not Vulnerable

Vendor Statement

Pingtel's voicemail product does not presently allow administrative access via a TUI (telephony user interface) to individual voicemail accounts.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Shoreline Communication

Notified:  May 28, 2003 Updated:  June 23, 2003

Status

  Not Vulnerable

Vendor Statement

Shoreline's Voice System does not use Caller ID for authentication to Voice Mail.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Allied Telesis

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc.

Notified:  May 28, 2003 Updated:  June 02, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  May 28, 2003 Updated:  June 02, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MCI

Notified:  July 30, 2003 Updated:  August 08, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSwitch

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Motorola

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetIQ

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  May 28, 2003 Updated:  May 30, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Polycom

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Qwest

Notified:  July 30, 2003 Updated:  August 08, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RAD Data Communications

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SBC

Notified:  July 30, 2003 Updated:  August 08, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens

Notified:  June 02, 2003 Updated:  June 04, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sphere

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

StarVox

Updated:  January 31, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 29 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported by Gus Bourg.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 9.22
Date Public: 2007-01-30
Date First Published: 2007-01-30
Date Last Updated: 2007-03-30 19:49 UTC
Document Revision: 29

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.