- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OmniPCX Enterprise VoIP Phone Audio Stream Rerouting Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability in Alcatel's OmniPCX allows remote attackers to cause the
product to no longer be able to receive audio by sending it a malformed
TFTP request.
DETAILS
Vulnerable Systems:
* Alcatel OmniPCX Enterprise release 7.1 and earlier
Immune Systems:
* Alcatel OmniPCX Enterprise release 8.0
If a malicious user sends a TFTP request to the signaling server with the
MAC address of the victim's VoIP phone as part of the file name, he is
able to reroute only the audio stream coming from the other end of the
call to his computers IP address. Even though an Alcatel VoIP phone can
make or take calls, and send audio, it is prevented from hearing anything
said at the other end of the communication. The VoIP phone needs to be
rebooted manually in order to work again.
This vulnerability may be further exploited by rerouting the audio stream
to the victim's VoIP phone again. This would only allow the malicious user
to eavesdrop on half of the victim's audio communication: what the victim
says is not intercepted, only on the answers made by the other party would
be overheard. Note, this scenario has not been verified.
Disclosure Timeline:
June 2007 - Vulnerability found
June 2007 - Alcatel Security notified
November 2007 - Alcatel Advisory available
November 2007 - Alcatel Security Information
Vendor Response:
"Upon boot, an IP Touch phone downloads configuration information about
the deployment using the TFTP protocol.
The attack against a given IP Touch phone set is performed by sending a
specially crafted TFTP request containing this phone s MAC address
(Ethernet address) faking this initial download request. The Communication
Server thereafter considers the attacking PC s IP address as the phone set
s IP address for the incoming half of the voice connection.
Because the signaling link is not broken, the phone stays up and can dial
and receive calls, without any ring tone and audio feedback.
Communications are halfway with only the outgoing audio but no audio is
received from the far end".
Solutions:
Workaround
In installations with IP address spaces for phone sets separate from that
of the data workstations, bogus TFTP requests may be filtered using a
firewall in front of the Communication Server. The firewall is configured
to allow TFTP requests only from the range of IP addresses allocated to IP
Touch phones and block any TFTP request coming from other IP addresses,
thereby blocking any bogus request emitted from any workstation.
Fixed Software Versions and how to obtain them
Please contact your Business Partner to determine the appropriate course
of action. For information the correction has been delivered in the
following patches:
* OmniPCX Enterprise R7.1: install patch F5.401.21.e
* OmniPCX Enterprise R7.0: upgrade to release R7.1
* OmniPCX Enterprise R6.2: install patch F3.301.38.a
* OmniPCX Enterprise R6.1: install patch F2.502.33
* OmniPCX Enterprise R6.0 and earlier: those releases are phased out:
upgrade to release R7.1.
ADDITIONAL INFORMATION
The information has been provided by <mailto:daniel.stirnimann@csnc.ch>
Daniel Stirnimann.
The original article can be found at:
<http://www1.alcatel-lucent.com/psirt/statements/2007004/IPTouchDOS.htm>
http://www1.alcatel-lucent.com/psirt/statements/2007004/IPTouchDOS.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment