[VulnWatch] CERT Advisory CA-2003-06 Multiple vulnerabilities in SIP/VoIP

From: Rain Forest Puppy (rfp@vulnwatch.org)
Date: 02/21/03

  • Next message: Ulf Harnhammar: "[VulnWatch] Rogue buffer overflow"
    Date: Fri, 21 Feb 2003 20:21:29 +0000 (GMT)
    From: Rain Forest Puppy <rfp@vulnwatch.org>
    To: vulnwatch@vulnwatch.org

    ---------- Forwarded message ----------
    Date: Fri, 21 Feb 2003 10:24:04 -0500
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org
    Subject: CERT Advisory CA-2003-06 Multiple vulnerabilities in
        implementations of the Session Initiation Protocol (SIP)


    CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the
    Session Initiation Protocol (SIP)

       Original release date: February 21, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history can be found at the end of this file.

    Systems Affected

       SIP-enabled products from a wide variety of vendors are affected.
       Other systems making use of SIP may also be vulnerable but were not
       specifically tested. Not all SIP implementations are affected. See
       Vendor Information for details from vendors who have provided feedback
       for this advisory.

       In addition to the vendors who provided feedback for this advisory, a
       list of vendors whom CERT/CC contacted regarding these problems is
       available from VU#528719.


       Numerous vulnerabilities have been reported in multiple vendors'
       implementations of the Session Initiation Protocol. These
       vulnerabilities may allow an attacker to gain unauthorized privileged
       access, cause denial-of-service attacks, or cause unstable system
       behavior. If your site uses SIP-enabled products in any capacity, the
       CERT/CC encourages you to read this advisory and follow the advice
       provided in the Solution section below.

    I. Description

       The Session Initiation Protocol (SIP) is a developing and newly
       deployed protocol that is commonly used in Voice over IP (VoIP),
       Internet telephony, instant messaging, and various other applications.
       SIP is a text-based protocol for initiating communication and data
       sessions between users.

       The Oulu University Secure Programming Group (OUSPG) previously
       conducted research into vulnerabilities in LDAP, culminating in CERT
       Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.

       OUSPG's most recent research focused on a subset of SIP related to the
       INVITE message, which SIP agents and proxies are required to accept in
       order to set up sessions. By applying the PROTOS c07-sip test suite to
       a variety of popular SIP-enabled products, the OUSPG discovered
       impacts ranging from unexpected system behavior and denial of services
       to remote code execution. Note that "throttling" is an expected

       Specifications for the Session Initiation Protocol are available in


       OUSPG has established the following site with detailed documentation
       regarding SIP and the implementation test results from the test suite:


       The IETF Charter page for SIP is available at


    II. Impact

       Exploitation of these vulnerabilities may result in denial-of-service
       conditions, service interruptions, and in some cases may allow an
       attacker to gain unauthorized access to the affected device. Specific
       impacts will vary from product to product.

    III. Solution

       Many of the mitigation steps recommended below may have significant
       impact on your everyday network operations and/or network
       architecture. Ensure that any changes made based on the following
       recommendations will not unacceptably affect your ongoing network
       operations capability.

      Apply a patch from your vendor

         Appendix A contains information provided by vendors for this
         advisory. Please consult this appendix and VU#528719 to determine
         if your product is vulnerable. If a statement is unavailable, you
         may need to contact your vendor directly.

      Disable the SIP-enabled devices and services

         As a general rule, the CERT/CC recommends disabling any service or
         capability that is not explicitly required. Some of the affected
         products may rely on SIP to be functional. You should carefully
         consider the impact of blocking services that you may be using.

      Ingress filtering

         As a temporary measure, it may be possible to limit the scope of
         these vulnerabilities by blocking access to SIP devices and
         services at the network perimeter.

         Ingress filtering manages the flow of traffic as it enters a
         network under your administrative control. Servers are typically
         the only machines that need to accept inbound traffic from the
         public Internet. Note that most SIP User Agents (including IP
         phones or "clien"t software) consist of a User Agent Client and a
         User Agent Server. In the network usage policy of many sites, there
         are few reasons for external hosts to initiate inbound traffic to
         machines that provide no public services. Thus, ingress filtering
         should be performed at the border to prohibit externally initiated
         inbound traffic to non-authorized services. For SIP, ingress
         filtering of the following ports can prevent attackers outside of
         your network from accessing vulnerable devices in the local network
         that are not explicitly authorized to provide public SIP services:

         sip 5060/udp # Session Initiation Protocol (SIP)
         sip 5060/tcp # Session Initiation Protocol (SIP)
         sip 5061/tcp # Session Initiation Protocol (SIP) over TLS

         Careful consideration should be given to addresses of the types
         mentioned above by sites planning for packet filtering as part of
         their mitigation strategy for these vulnerabilities.

         Please note that this workaround may not protect vulnerable devices
         from internal attacks.

      Egress filtering

         Egress filtering manages the flow of traffic as it leaves a network
         under your administrative control. There is typically limited need
         for machines providing public services to initiate outbound traffic
         to the Internet. In the case of the SIP vulnerabilities, employing
         egress filtering on the ports listed above at your network border
         may prevent your network from being used as a source for attacks on
         other sites.

      Block SIP requests directed to broadcast addresses at your router.

         Since SIP requests can be transmitted via UDP, broadcast attacks
         are possible. One solution to prevent your site from being used as
         an intermediary in an attack is to block SIP requests directed to
         broadcast addresses at your router.

    Appendix A. - Vendor Information

       This appendix contains information provided by vendors for this
       advisory. As vendors report new information to the CERT/CC, we will
       update this section and note the changes in our revision history. If a
       particular vendor is not listed below, we have not received their

      America Online Inc

         Not vulnerable.

      Apple Computer Inc.

         There are currently no applications shipped by Apple with Mac OS X
         or Mac OS X Server which make use of the Session Initiation


         No BorderWare products make use of SIP and thus no BorderWare
         products are affected by this vulnerability.


         No Clavister products currently incorporate support for the SIP
         protocol suite, and as such, are not vulnerable.
         We would however like to extend our thanks to the OUSPG for their
         work as well as for the responsible manner in which they handle
         their discoveries. Their detailed reports and test suites are
         certainly well-received.
         We would also like to reiterate the fact that SIP has yet to
         mature, protocol-wise as well as implementation-wise. We do not
         recommend that our customers set up SIP relays in parallel to our
         firewall products to pass SIP-based applications in or out of
         networks where security is a concern of note.

      F5 Networks

         F5 Networks does not have a SIP server product, and is therefore
         not affected by this vulnerability.


         With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
         because the relevant function is not supported under UXP/V.


         SIP is not implemented as part of the AIX operating system.

      IP Filter

         IPFilter does not do any SIP specific protocol handling and is
         therefore not affected by the issues mentioned in the paper cited.


         All versions of SIP Express Router up to 0.8.9 are sadly vulnerable
         to the OUSPG test suite. We strongly advice to upgrade to version
         0.8.10. Please also apply the patch to version 0.8.10 from
         before installation and keep on watching this site in the future.
         We apologize to our users for the trouble.

      Hewlett-Packard Company

         Hewlett-Packard Company
         Software Security Response Team
         cross reference id: SSRT2402

         HP-UX - not vulnerable
         HP-MPE/ix - not vulnerable
         HP Tru64 UNIX - not vulnerable
         HP OpenVMS - not vulnerable
         HP NonStop Servers - not vulnerable

         To report potential security vulnerabilities in HP software, send
         an E-mail message to: mailto:security-alert@hp.com


         No Lucent products are known to be affected by this vulnerability,
         however we are still researching the issue and will update this
         statement as needed.

      Microsoft Corporation

         Microsoft has investigated these issues. The Microsoft SIP client
         implementation is not affected.

      NEC Corporation

         NEC vendor statement for VU#528719

         sent on February 13, 2002
         Server Products
           * EWS/UP 48 Series operating system
           * - is NOT vulnerable, because it does not support SIP.

         Router Products
           * IX 1000 / 2000 / 5000 Series
           * - is NOT vulnerable, because it does not support SIP.

         Other Network products
           * We continue to check our products which support SIP protocol.



         NetBSD does not ship any implementation of SIP.


         As the linux 2.4/2.5 netfilter implementation currently doesn't
         support connection tracking or NAT for the SIP protocol suite, we
         are not vulnerable to this bug.


         NetScreen is not vulnerable to this issue.

      Network Appliance

         NetApp products are not affected by this vulnerability.


         Nokia IP Security Platforms based on IPSO, Nokis Small Office
         Solution platforms, Nokia VPN products and Nokia Message Protector
         platform do not initiate or terminate SIP based sessions. The
         mentioned Nokia products are not susceptible to this vulnerability

      Nortel Networks

         Nortel Networks is cooperating to the fullest extent with the CERT
         Coordination Center. All Nortel Networks products that use Session
         Initiation Protocol SIP) have been tested and all generally
         available products, with the following exceptions, have passed the
         test suite:

         Succession Communication Server 2000 and Succession Communication
         Server 2000 - Compact are impacted by the test suite only in
         configurations where SIP-T has been provisioned within the
         Communication Server; a software patch is expected to be available
         by the end of February.

         For further information about Nortel Networks products please
         contact Nortel Networks Global Network Support.

         North America: 1-800-4-NORTEL, or (1-800-466-7835)
         Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907

         Contacts for other regions available at the Global Contact
         <http://www.nortelnetworks.com/help/contact/global/> web page.


         Novell has no products implementing SIP.

      Secure Computing Corporation

         Neither Sidewinder nor Gauntlet implements SIP, so we do not need
         to be on the vendor list for this vulnerability.


         We hereby attest that SecureWorx Basilisk Gateway Security product
         suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
         Session Initiation Protocol (SIP) Vulnerability VU#528719 as
         described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
         Nov 2002 10:17:11 -0500.


         Stonesoft's StoneGate high availability firewall and VPN product
         does not contain any code that handles SIP protocol. No versions of
         StoneGate are vulnerable.


         Symantec Corporation products are not vulnerable to this issue.
         Symantec does not implement the Session Initiation Protocol (SIP)
         in any of our products.


         Xerox is aware of this vulnerability and is currently assessing all
         products. This statement will be updated as new information becomes

    Appendix B. - References

        1. http://www.ee.oulu.fi/research/ouspg/protos/
        2. http://www.kb.cert.org/vuls/id/528719
        3. http://www.cert.org/tech_tips/denial_of_service.html
        4. http://www.ietf.org/html.charters/sip-charter.html
        5. RFC3261 - SIP: Session Initiation Protocol
        6. RFC2327 - SDP: Session Description Protocol
        7. RFC2279 - UTF-8, a transformation format of ISO 10646
        8. Session Initiation Protocol Basic Call Flow Examples
        9. Session Initiation Protocol Torture Test Messages, Draft

       The CERT Coordination Center thanks the Oulu University Secure
       Programming Group for reporting these vulnerabilities to us, for
       providing detailed technical analysis, and for assisting us in
       preparing this advisory. We would also like to acknowledge the
       "RedSkins" project of "MediaTeam Oulu" for their support of this

       Feedback on this document can be directed to the authors,
       Jason A. Rafail and Ian A. Finlay.

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History
          Feb 21, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----