Alcatel OmniPCX Enterprise VoIP Vulnerability

#################################################

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#################################################

#

# Product: OmniPCX Enterprise

# Vendor:  Alcatel

# Subject: VoIP Phone Audio Stream Rerouting Vulnerability

# Risk     High

# Effect   Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:    November, 19th 2007

#

#################################################

Introduction:

-------------

If a malicious user sends a TFTP request to the

signaling server with the MAC address of the

victim?s VoIP phone as part of the file name, he

is able to reroute only the audio stream coming

from the other end of the call to his computers IP

address.

Even though an Alcatel VoIP phone can make or take

calls, and send audio, it is prevented from hearing anything said at the other end of the

communication. The VoIP phone needs to be rebooted

manually in order to work again.

This vulnerability may be further exploited by

rerouting the audio stream to the victim?s VoIP

phone again. This would only allow the malicious

user to eavesdrop on half of the victim's audio

communication: what the victim says is not

intercepted, only on the answers made by the other

party would be overheard. Note, this scenario has

not been verified.

Vulnerable:

-----------

Alcatel OmniPCX Enterprise release 7.1 and earlier

Not vulnerable:

---------------

Alcatel OmniPCX Enterprise release 8.0

Vulnerability Management:

-------------------------

June 2007:     Vulnerability found

June 2007:     Alcatel Security notified

November 2007: Alcatel Advisory available

November 2007: Alcatel Security Information

Alcatel-Lucent information:

---------------------------

http://www1.alcatel-lucent.com/psirt/statements.htm

Number 2007004

Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html