Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco Unified IP Phone Overflow and Denial of Service Vulnerabili

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities
Date: 15 Feb 2008 09:34:15 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Cisco Unified IP Phone models contain multiple overflow and denial of 
service (DoS) vulnerabilities. There are workarounds for several of these 
vulnerabilities. Cisco has made free software available to address this 
issue for affected customers.

DETAILS

Vulnerable Products
The following Cisco Unified IP Phone devices running Skinny Client Control 
Protocol (SCCP) firmware:
 * 7906G
 * 7911G
 * 7935
 * 7936
 * 7940
 * 7940G
 * 7941G
 * 7960
 * 7960G
 * 7961G
 * 7970G
 * 7971G

The following Cisco Unified IP Phone devices running Session Initiation 
Protocol (SIP) firmware:
 * 7940
 * 7940G
 * 7960
 * 7960G

The version of firmware running on an IP Phone can be determined via the 
Settings menu on the phone or via the phone HTTP interface.

Products Confirmed Not Vulnerable
No other Cisco products are known to be vulnerable. This includes the 
following Cisco Unified IP Phone devices:
 * 7931
 * 7937
 * 7942
 * 7945
 * 7965
 * 7975

SCCP and SIP-Related Vulnerabilities
 * DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP 
and SIP firmware contain a buffer overflow vulnerability in the handling 
of DNS responses. A specially-crafted DNS response may be able to trigger 
a buffer overflow and execute arbitrary code on a vulnerable phone. This 
vulnerability is corrected in SCCP firmware version 8.0(8) and SIP 
firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 
leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863.

SCCP-Only Related Vulnerabilities
 * Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP 
firmware contain a DoS vulnerability. It is possible to cause a vulnerable 
device to reboot by sending a large ICMP echo request packet. This 
vulnerability is corrected in SCCP firmware version 8.0(6). This 
vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco 
Bug ID CSCsh71110.

 * HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP firmware contain 
a DoS vulnerability in their internal HTTP server. By sending a specially 
crafted HTTP request to TCP port 80 on a vulnerable phone, it may be 
possible to cause the phone to reboot. It is possible to workaround this 
issue by disabling the internal HTTP server on vulnerable phones. The 
internal HTTP server only listens to TCP port 80. This vulnerability is 
corrected in SCCP firmware version 3.2(18) for 7935 devices and SCCP 
firmware version 3.3(15) for 7936 devices. This vulnerability is 
documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026.

 * SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices 
running SCCP firmware contain a buffer overflow vulnerability in their 
internal Secure Shell (SSH) server. By sending a specially crafted to 
packet to TCP port 22 on a vulnerable phone, it may be possible for an 
unauthenticated attacker to cause the phone to reboot. It may also be 
possible for an unauthenticated attacker to execute arbitrary code with 
system privileges. It is possible to workaround this issue by disabling 
the internal SSH server on vulnerable phones. The internal SSH server only 
listens to TCP port 22. This vulnerability is corrected in SCCP firmware 
version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 
leavingcisco.com and Cisco Bug ID CSCsh79629.

SIP-Only Related Vulnerabilities
 * SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP 
firmware contain a buffer overflow vulnerability in the handling of 
Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a 
specially crafted SIP message to a vulnerable phone, it may be possible to 
trigger a buffer overflow and execute arbitrary code on the phone. This 
vulnerability is corrected in SIP firmware version 8.8(0). This 
vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco 
Bug ID CSCsj74786.

 * Telnet Server Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP 
firmware contain a buffer overflow vulnerability in their internal telnet 
server. The telnet server is disabled by default and can be configured to 
allow either privileged or unprivileged user-level access. If the telnet 
server is enabled for privileged or unprivileged access, the phone 
password parameter must additionally be configured to permit telnet 
access. By entering a specially crafted command on a phone configured to 
permit unprivileged access, it may be possible for an unprivileged-level, 
authenticated user to trigger a buffer overflow and obtain 
privileged-level access to the phone. It is possible to workaround this 
issue by disabling the internal telnet server on vulnerable phones. This 
vulnerability is corrected in SIP firmware version 8.8(0). This 
vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco 
Bug ID CSCsj78359.

 * SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP 
firmware contain a heap overflow vulnerability in the handling of a 
challenge/response message from a SIP proxy. If an attacker controls the 
SIP proxy to which a vulnerable phone is registered, attempts to register, 
or the attacker can act as a man-in-the-middle, it may be possible to send 
a malicious challenge/response message to a phone and execute arbitrary 
code. This vulnerability is corrected in SIP firmware version 8.8(0). This 
vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco 
Bug ID CSCsj74765.

Impact
Successful exploitation of these vulnerabilities may cause vulnerable IP 
phone devices to reboot which will interrupt client voice services and, in 
some cases, allow the execution of arbitrary code.

Software Versions and Fixes
When considering software upgrades, also consult  
<http://www.cisco.com/go/psirt> http://www.cisco.com/go/psirt and any 
subsequent advisories to determine exposure and a complete upgrade 
solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") or your contracted maintenance provider for 
assistance.

Workarounds
Workarounds are available for several of the vulnerabilities. Disabling 
unnecessary internal phone Telnet and HTTP servers will eliminate exposure 
to the Telnet Server overflow and HTTP Server DoS vulnerabilities.

It is possible to mitigate these vulnerabilities with access control lists 
(ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 
(Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 
(SIP) should be deployed at voice/data network boundaries as part of a 
tACL policy for protection of traffic which enters the network at ingress 
access points. This policy should be configured to protect the network 
device and other devices behind it where the filter is applied.

Additional information about tACLs is available in "Transit Access Control 
Lists: Filtering at Your Edge":
 
<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml>
 
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigation techniques that can be deployed on Cisco devices 
within the network are available in the Cisco Applied Mitigation Bulletin 
companion document for this advisory:
 <http://www.cisco.com/warp/public/707/cisco-amb-20080213-phone.shtml> 
http://www.cisco.com/warp/public/707/cisco-amb-20080213-phone.shtml


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Systems Product Security Incident Response Team.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities, SecuriTeam <=
Previous by Date:  [UNIX] ELFdump Crash when Analyzing Crafted ELF File, SecuriTeam
Next by Date:  [UNIX] Mplayer Multiple Arbitrary Execution Vulnerabilities, SecuriTeam
Previous by Thread:  [UNIX] ELFdump Crash when Analyzing Crafted ELF File, SecuriTeam
Next by Thread:  [UNIX] Mplayer Multiple Arbitrary Execution Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]