[NEWS] 3com NBX IP Phone System Denial of Service Attack (CEL)

• Previous message: support@securiteam.com: "[TOOL] WinTCPKill, TCP Connection Killer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 4 Dec 2002 12:03:57 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  3com NBX IP Phone System Denial of Service Attack (CEL)
------------------------------------------------------------------------

SUMMARY

3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions
offer wide-ranging price/performance alternatives to fit your business
needs today and tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony
Solution Delivers robust, full-featured business communications for up to
1500 devices (lines/stations) Ensures high system availability with the
Wind River VxWorks real-time operating system (also used in pacemakers and
artificial hearts), so server and PC downtime does not impact your
telephone service.

VxWorks and pSOSystem are the most widely adopted real-time operating
systems (RTOSs) in the embedded industry -- for good reason. They are
flexible, scalable, reliable, and available on all popular CPU platforms.
They are also, by most measures, the fastest RTOSs available today.

A remote security vulnerability in the product allows a remote attackers
to cause a denial of service against the product.

DETAILS

Vulnerable systems:
 * 3com NBX IP Phone Call manager, firmware versions through 4.1.4

Exploit:
It was possible to make the remote FTP server crash by issuing this
command:
CEL aaaa[...]aaaa where string is 2048 bytes long. This can be done with
netcat, a windows client by telneting to the NBX server on port 21 or by
running the aix_ftpd.nasl test in nessus ( <http://www.nessus.org>
http://www.nessus.org)

The 3com NBX uses VXWORKS Embedded Real time Operating system and what
appears to be their own internal ftp server.

By sending a specific string of data to the ftp server, an attacker can
disable not only the FTP server, but the integrated web based
administrative console and the call manager preventing diagnostics,
control and all incoming, outgoing or internal calls. Any calls in
progress cannot be disconnected, and in the case of long distance calls,
could result in excessive long distance bills and extended loss of use of
the phone system.

This condition is not recovered without a Hard reboot (power off/on).
Since the 3com NBX is based on an embedded UNIX operating system, and
abrupt power off could cause loss of data, including corruption of voice
mails in progress or logs.

A company who uses the VoIP features for remote locations, and who has the
call manager located on the outside of their firewall, or has no firewall
can have their voice communications disrupted easily. Even if the company
has call manager located on internal network, people with internal network
access can also disrupt communications.

We have tested 3com NBX firmware version 4.0.17 (with FTPd version 5.4)
and NBX firmware version 4.1.4 (FTPd version 5.4.2) and this bug seems to
be present in both systems.

Vendor Response:
3com confirmed problem and received a field patch, TSR(296292) from
VxWorks to address the problem. Neither WindRiver nor 3com has provided a
test bed or access to a fixed system for us verify fix. 3com will be
working to integrate this TSR into a future release of the NBX build but
has no date yet for release. Also, since FTPd is only used for debugging
and diagnostics, a future firmware will allow the administrator the
ability to turn off FTPd if not used.

Please contact 3com for further information.

Solution:
There is no known fix. If you have information about a fix, please contact
 <mailto:security@secnap.net> security@secnap.net

There appears to be on way to turn off the build in ftp server in this
version of the software, no way to do IP address limits via TCP wrapper or
ACLs, and if there is a build in firewall, there is no documented way to
access it. The only way we know of to prevent a denial of service attack
on the 3com NBX is to place it behind its own firewall. If call manager is
placed on the Internet side of the firewall or in the DMZ, care should be
taken to prohibit any access to ftp port (TCP port 21). This may be
impossible on an internal network unless 3com NBX is itself placed behind
a firewall, or on a separate VLAN or network segment.

Care should be taken in this approach, since some firewalls may interfere
with the VoIP operations.
(see Firewall limits vex VoIP users
<http://www.nwfusion.com/news/2002/0625bleeding.html>
http://www.nwfusion.com/news/2002/0625bleeding.html )

Additional Information:
A tcpdump/pcap packet of the exploit and FTPd/NBX response can be found at
 <http://www.secnap.net/private/nbx.pcap>
http://www.secnap.net/private/nbx.pcap

A copy of this report can be found at
<http://www.secnap.net/security/nbx001.html>
http://www.secnap.net/security/nbx001.html and at
<http://www.kb.cert.org/vuls/id/317417>
http://www.kb.cert.org/vuls/id/317417.

To test your systems for this vulnerability, you can use Nessus at
www.nessus.org. Either update your signatures, or download this nessus
signature: vxworks_ftpd.nasl -
<http://cgi.nessus.org/plugins/dump.php?id=11185>
http://cgi.nessus.org/plugins/dump.php?id=11185

ADDITIONAL INFORMATION

The information has been provided by <mailto:Scheidell@secnap.com>
Michael S. Scheidell of SECNAP Network Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NT] E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail"
• Previous message: support@securiteam.com: "[TOOL] WinTCPKill, TCP Connection Killer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]