Nortel IP Phone Flooding Denial of Service

2007.10.23
Credit: Daniel Stirnimann
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-5639
CWE: CWE-Other


CVSS Base Score: 7.1/10
Impact Subscore: 6.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: IP Phone # Vendor: Nortel # Subject: IP Phone Flooding Denial of Service # Risk: High # Effect: Currently exploitable # Author: Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch) # Date: October, 18th 2007 # ############################################################# Introduction: ------------- A malicious user who can send spoofed packets to an IP phone is able to freeze it. A potential victim does not recognize that his IP phone is offline until he tries to use it. Signs which make it obvious for the victim that his IP phone is not working are that he does not here a line peep sound when trying to make a call or that the LCD display is not updated. The attack uses valid UNIStim "Mute / UnMute" messages which are sent to the IP phone with a spoofed server source address. Nortel has noted this as: Title: Potential DoS Vulnerability - IP Phone Freeze to Offline State Number: 2007008386 http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY Vulnerable: ----------- Nortel IP Phone 1140E IP Softphone 2050 and others. See associated products on the Nortel advisory. Vulnerability Management: ------------------------- June 2007: Vulnerability found June 2007: Nortel Security notified October 2007: Nortel Advisory available October 2007: Compass Security Information Remediation: ------------ Follow the recommended actions for the affected systems, as identified in the Nortel Advisory. Technical Description: ---------------------- Flooding an IP phone with valid UNIStim messages freezes the IP phone. The IP phone needs to be rebooted by pulling the power cord in order to work again. The proof-of-concept code uses "Mute / UnMute" UNIStim messages. The ID number is increased sequentially from 1 to 65535. After the packets have been sent, the phone is frozen and cannot be used. The phone does not ring if it's number is called and the LCD display is not updated. Reference: http://www.csnc.ch/static/advisory/secadvisorylist.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top