[NEWS] Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Cisco Unified IP Phone models contain multiple overflow and denial of
service (DoS) vulnerabilities. There are workarounds for several of these
vulnerabilities. Cisco has made free software available to address this
issue for affected customers.

DETAILS

Vulnerable Products
The following Cisco Unified IP Phone devices running Skinny Client Control
Protocol (SCCP) firmware:
* 7906G
* 7911G
* 7935
* 7936
* 7940
* 7940G
* 7941G
* 7960
* 7960G
* 7961G
* 7970G
* 7971G

The following Cisco Unified IP Phone devices running Session Initiation
Protocol (SIP) firmware:
* 7940
* 7940G
* 7960
* 7960G

The version of firmware running on an IP Phone can be determined via the
Settings menu on the phone or via the phone HTTP interface.

Products Confirmed Not Vulnerable
No other Cisco products are known to be vulnerable. This includes the
following Cisco Unified IP Phone devices:
* 7931
* 7937
* 7942
* 7945
* 7965
* 7975

SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP
and SIP firmware contain a buffer overflow vulnerability in the handling
of DNS responses. A specially-crafted DNS response may be able to trigger
a buffer overflow and execute arbitrary code on a vulnerable phone. This
vulnerability is corrected in SCCP firmware version 8.0(8) and SIP
firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530
leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863.

SCCP-Only Related Vulnerabilities
* Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP
firmware contain a DoS vulnerability. It is possible to cause a vulnerable
device to reboot by sending a large ICMP echo request packet. This
vulnerability is corrected in SCCP firmware version 8.0(6). This
vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco
Bug ID CSCsh71110.

* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP firmware contain
a DoS vulnerability in their internal HTTP server. By sending a specially
crafted HTTP request to TCP port 80 on a vulnerable phone, it may be
possible to cause the phone to reboot. It is possible to workaround this
issue by disabling the internal HTTP server on vulnerable phones. The
internal HTTP server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(18) for 7935 devices and SCCP
firmware version 3.3(15) for 7936 devices. This vulnerability is
documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026.

* SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices
running SCCP firmware contain a buffer overflow vulnerability in their
internal Secure Shell (SSH) server. By sending a specially crafted to
packet to TCP port 22 on a vulnerable phone, it may be possible for an
unauthenticated attacker to cause the phone to reboot. It may also be
possible for an unauthenticated attacker to execute arbitrary code with
system privileges. It is possible to workaround this issue by disabling
the internal SSH server on vulnerable phones. The internal SSH server only
listens to TCP port 22. This vulnerability is corrected in SCCP firmware
version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486
leavingcisco.com and Cisco Bug ID CSCsh79629.

SIP-Only Related Vulnerabilities
* SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP
firmware contain a buffer overflow vulnerability in the handling of
Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a
specially crafted SIP message to a vulnerable phone, it may be possible to
trigger a buffer overflow and execute arbitrary code on the phone. This
vulnerability is corrected in SIP firmware version 8.8(0). This
vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco
Bug ID CSCsj74786.

* Telnet Server Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP
firmware contain a buffer overflow vulnerability in their internal telnet
server. The telnet server is disabled by default and can be configured to
allow either privileged or unprivileged user-level access. If the telnet
server is enabled for privileged or unprivileged access, the phone
password parameter must additionally be configured to permit telnet
access. By entering a specially crafted command on a phone configured to
permit unprivileged access, it may be possible for an unprivileged-level,
authenticated user to trigger a buffer overflow and obtain
privileged-level access to the phone. It is possible to workaround this
issue by disabling the internal telnet server on vulnerable phones. This
vulnerability is corrected in SIP firmware version 8.8(0). This
vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco
Bug ID CSCsj78359.

* SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP
firmware contain a heap overflow vulnerability in the handling of a
challenge/response message from a SIP proxy. If an attacker controls the
SIP proxy to which a vulnerable phone is registered, attempts to register,
or the attacker can act as a man-in-the-middle, it may be possible to send
a malicious challenge/response message to a phone and execute arbitrary
code. This vulnerability is corrected in SIP firmware version 8.8(0). This
vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco
Bug ID CSCsj74765.

Impact
Successful exploitation of these vulnerabilities may cause vulnerable IP
phone devices to reboot which will interrupt client voice services and, in
some cases, allow the execution of arbitrary code.

Software Versions and Fixes
When considering software upgrades, also consult
<http://www.cisco.com/go/psirt> http://www.cisco.com/go/psirt and any
subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
assistance.

Workarounds
Workarounds are available for several of the vulnerabilities. Disabling
unnecessary internal phone Telnet and HTTP servers will eliminate exposure
to the Telnet Server overflow and HTTP Server DoS vulnerabilities.

It is possible to mitigate these vulnerabilities with access control lists
(ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23
(Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060
(SIP) should be deployed at voice/data network boundaries as part of a
tACL policy for protection of traffic which enters the network at ingress
access points. This policy should be configured to protect the network
device and other devices behind it where the filter is applied.

Additional information about tACLs is available in "Transit Access Control
Lists: Filtering at Your Edge":

<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
<http://www.cisco.com/warp/public/707/cisco-amb-20080213-phone.shtml>
http://www.cisco.com/warp/public/707/cisco-amb-20080213-phone.shtml


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages