Multiple VoIP phones SIP-Notify-Message packet spoofing

sip-notify-message-spoof (21260) The risk level is classified as MediumMedium Risk

Description:

Multiple VoIP phones could allow a remote attacker to spoof SIP-Notify-Message packets caused by a vulnerability in the processing of specific Session Initiation Protocol (SIP) messages. Cisco 7940/7960 and Grandstream BT 100 are affected. The Cisco SIP implementation fails to properly validate the 'Call-ID' tag and the 'branch' parameters of the received NOTIFY message for ensuring the validity of the subscription. A remote attacker could exploit this vulnerability by sending a spoofed SIP-Notify-Message packet to allow the attacker to modify the Message Waiting status on the targeted user's phone.


Consequences:

Gain Access

Remedy:

No remedy available as of July 9, 2011.

References:

  • Tele-Consulting GmbH advisory 05/07/06: Weakness in implemenation of proccessing SIP-Notify-Messages in VoIP-Phones.
  • BID-14174: Multiple Vendor VoIP Phones Spoofed SIP Status Message Handling Weakness
  • CVE-2005-2181: Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the Messages waiting message.
  • CVE-2005-2182: Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the Messages waiting message.
  • SECTRACK ID: 1014406: Cisco 7940/7960 Lets Remote Users Spoof SIP-Notify-Messages Packets
  • SECTRACK ID: 1014407: BudgeTone SIP Phone Lets Remote Users Spoof SIP-Notify-Messages Packets

Platforms Affected:

  • Cisco 7940 Router
  • Cisco 7960 Router
  • Grandstream Grandstream BT 100

Reported:

Jul 06, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page