Nortel IP Phone UNIStim packet spoofing denial of service

nortel-ipphone-spoof-dos (37253)

Low Risk

Description:

Multiple Nortel IP Phones are vulnerable to a denial of service attack, caused by improper handling of spoofed packets. By flooding a vulnerable device with valid UNIStim messages containing a spoofed server source address, a remote attacker could cause the device to become unresponsive. The device must be rebooted to regain normal functionality.

Platforms Affected:

• Nortel, BCM-BCM-BCM1000 Global
• Nortel, BCM-BCM-BCM200 Global
• Nortel, BCM-BCM-BCM400 Global
• Nortel, BCM-BCM-BCM50 Global
• Nortel, BCM-BCM-BCM50a Global
• Nortel, BCM-BCM-BCM50e Global
• Nortel, BCM-BCM-SRG200 1.0 Global
• Nortel, BCM-BCM-SRG50 Global
• Nortel, Enteprise VoIP-Core-CS 1000E
• Nortel, Enteprise VoIP-Core-CS 1000M Chassis/Cab
• Nortel, Enteprise VoIP-Core-CS 1000S
• Nortel, IP Audio Conference Phone 2033
• Nortel, IP Phone 1110
• Nortel, IP Phone 1120E
• Nortel, IP Phone 1140E
• Nortel, IP Phone 1150E
• Nortel, IP Phone 2001
• Nortel, IP Phone 2002
• Nortel, IP Phone 2004
• Nortel, IP Phone 2007
• Nortel, IP Softphone 2050
• Nortel, Meridian Option 11C
• Nortel, Meridian Option 51C
• Nortel, Meridian Option 61C
• Nortel, Meridian Option 81C
• Nortel, WLAN Handset 2210
• Nortel, WLAN Handset 2211
• Nortel, WLAN Handset 2212
• Nortel, WLAN Handset 6120
• Nortel, WLAN Handset 6140

Remedy:

Refer to Nortel Technical Support Security Advisory Bulletin 2007008386 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Denial of Service

References:

• COMPASS SECURITY ADVISORY: October, 18th 2007, IP Phone Flooding Denial of Service at http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_flooding_denial_of_service_v1.0.txt.
• Nortel Technical Support Security Advisory Bulletin 2007008386, Potential DoS Vulnerability - IP Phone Freeze to Offline State at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654715.
• BID-26122: Nortel IP Phones UNIStim Messages Denial of Service Vulnerability
• CVE-2007-5639: The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel IP Phone, Mobile Voice Client, and WLAN Handsets products allow remote attackers to cause a denial of service (device hang) via a flood of Mute and UnMute messages that have a spoofed source IP address for the Signaling Server.

Reported:

Oct 17, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page