################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ################################################# # # Product: OmniPCX Enterprise # Vendor: Alcatel # Subject: VoIP Phone Audio Stream Rerouting Vulnerability # Risk High # Effect Currently exploitable # Author: Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch) # Date: November, 19th 2007 # ################################################# Introduction: ------------- If a malicious user sends a TFTP request to the signaling server with the MAC address of the victim?s VoIP phone as part of the file name, he is able to reroute only the audio stream coming from the other end of the call to his computers IP address. Even though an Alcatel VoIP phone can make or take calls, and send audio, it is prevented from hearing anything said at the other end of the communication. The VoIP phone needs to be rebooted manually in order to work again. This vulnerability may be further exploited by rerouting the audio stream to the victim?s VoIP phone again. This would only allow the malicious user to eavesdrop on half of the victim's audio communication: what the victim says is not intercepted, only on the answers made by the other party would be overheard. Note, this scenario has not been verified. Vulnerable: ----------- Alcatel OmniPCX Enterprise release 7.1 and earlier Not vulnerable: --------------- Alcatel OmniPCX Enterprise release 8.0 Vulnerability Management: ------------------------- June 2007: Vulnerability found June 2007: Alcatel Security notified November 2007: Alcatel Advisory available November 2007: Alcatel Security Information Alcatel-Lucent information: --------------------------- http://www1.alcatel-lucent.com/psirt/statements.htm Number 2007004 Reference: http://www.csnc.ch/static/advisory/secadvisorylist.html