[NEWS] 3com NBX IP Phone System Denial of Service Attack (CEL)

From: support@securiteam.com
Date: 12/04/02

  • Next message: support@securiteam.com: "[NT] E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 4 Dec 2002 12:03:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      3com NBX IP Phone System Denial of Service Attack (CEL)
    ------------------------------------------------------------------------

    SUMMARY

    3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions
    offer wide-ranging price/performance alternatives to fit your business
    needs today and tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony
    Solution Delivers robust, full-featured business communications for up to
    1500 devices (lines/stations) Ensures high system availability with the
    Wind River VxWorks real-time operating system (also used in pacemakers and
    artificial hearts), so server and PC downtime does not impact your
    telephone service.

    VxWorks and pSOSystem are the most widely adopted real-time operating
    systems (RTOSs) in the embedded industry -- for good reason. They are
    flexible, scalable, reliable, and available on all popular CPU platforms.
    They are also, by most measures, the fastest RTOSs available today.

    A remote security vulnerability in the product allows a remote attackers
    to cause a denial of service against the product.

    DETAILS

    Vulnerable systems:
     * 3com NBX IP Phone Call manager, firmware versions through 4.1.4

    Exploit:
    It was possible to make the remote FTP server crash by issuing this
    command:
    CEL aaaa[...]aaaa where string is 2048 bytes long. This can be done with
    netcat, a windows client by telneting to the NBX server on port 21 or by
    running the aix_ftpd.nasl test in nessus ( <http://www.nessus.org>
    http://www.nessus.org)

    The 3com NBX uses VXWORKS Embedded Real time Operating system and what
    appears to be their own internal ftp server.

    By sending a specific string of data to the ftp server, an attacker can
    disable not only the FTP server, but the integrated web based
    administrative console and the call manager preventing diagnostics,
    control and all incoming, outgoing or internal calls. Any calls in
    progress cannot be disconnected, and in the case of long distance calls,
    could result in excessive long distance bills and extended loss of use of
    the phone system.

    This condition is not recovered without a Hard reboot (power off/on).
    Since the 3com NBX is based on an embedded UNIX operating system, and
    abrupt power off could cause loss of data, including corruption of voice
    mails in progress or logs.

    A company who uses the VoIP features for remote locations, and who has the
    call manager located on the outside of their firewall, or has no firewall
    can have their voice communications disrupted easily. Even if the company
    has call manager located on internal network, people with internal network
    access can also disrupt communications.

    We have tested 3com NBX firmware version 4.0.17 (with FTPd version 5.4)
    and NBX firmware version 4.1.4 (FTPd version 5.4.2) and this bug seems to
    be present in both systems.

    Vendor Response:
    3com confirmed problem and received a field patch, TSR(296292) from
    VxWorks to address the problem. Neither WindRiver nor 3com has provided a
    test bed or access to a fixed system for us verify fix. 3com will be
    working to integrate this TSR into a future release of the NBX build but
    has no date yet for release. Also, since FTPd is only used for debugging
    and diagnostics, a future firmware will allow the administrator the
    ability to turn off FTPd if not used.

    Please contact 3com for further information.

    Solution:
    There is no known fix. If you have information about a fix, please contact
     <mailto:security@secnap.net> security@secnap.net

    There appears to be on way to turn off the build in ftp server in this
    version of the software, no way to do IP address limits via TCP wrapper or
    ACLs, and if there is a build in firewall, there is no documented way to
    access it. The only way we know of to prevent a denial of service attack
    on the 3com NBX is to place it behind its own firewall. If call manager is
    placed on the Internet side of the firewall or in the DMZ, care should be
    taken to prohibit any access to ftp port (TCP port 21). This may be
    impossible on an internal network unless 3com NBX is itself placed behind
    a firewall, or on a separate VLAN or network segment.

    Care should be taken in this approach, since some firewalls may interfere
    with the VoIP operations.
    (see Firewall limits vex VoIP users
    <http://www.nwfusion.com/news/2002/0625bleeding.html>
    http://www.nwfusion.com/news/2002/0625bleeding.html )

    Additional Information:
    A tcpdump/pcap packet of the exploit and FTPd/NBX response can be found at
     <http://www.secnap.net/private/nbx.pcap>
    http://www.secnap.net/private/nbx.pcap

    A copy of this report can be found at
    <http://www.secnap.net/security/nbx001.html>
    http://www.secnap.net/security/nbx001.html and at
    <http://www.kb.cert.org/vuls/id/317417>
    http://www.kb.cert.org/vuls/id/317417.

    To test your systems for this vulnerability, you can use Nessus at
    www.nessus.org. Either update your signatures, or download this nessus
    signature: vxworks_ftpd.nasl -
    <http://cgi.nessus.org/plugins/dump.php?id=11185>
    http://cgi.nessus.org/plugins/dump.php?id=11185

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Scheidell@secnap.com>
    Michael S. Scheidell of SECNAP Network Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages