Nortel IP Phone UNIStim re-register denial of service

nortel-ipphone-register-dos (37254) The risk level is classified as LowLow Risk

Description:

Multiple Nortel IP Phones are vulnerable to a denial of service attack, caused by improper handling of spoofed registration messages. By sending multiple spoofed registration messages to a server where a vulnerable UNIStim IP Phone is registered, a remote attacker could cause an affected device to become unregistered. The device must be manually re-registered with the server in order to maintain service.

Platforms Affected:

  • Nortel, Business Communications Manager 1000
  • Nortel, Business Communications Manager 200
  • Nortel, Business Communications Manager 400
  • Nortel, Business Communications Manager 50
  • Nortel, Business Communications Manager 50a
  • Nortel, Business Communications Manager 50e
  • Nortel, Business Communications Manager SRG200
  • Nortel, Business Communications Manager SRG50
  • Nortel, Centrex IP Client Manager
  • Nortel, Centrex IP Element Manager
  • Nortel, CS1000e
  • Nortel, CS1000m
  • Nortel, cs1000s
  • Nortel, CS2100
  • Nortel, IP Audio Conference Phone 2033
  • Nortel, IP Phone 1110
  • Nortel, IP Phone 1120E
  • Nortel, IP Phone 1140E
  • Nortel, IP Phone 1150E
  • Nortel, IP Phone 2001
  • Nortel, IP Phone 2002
  • Nortel, IP Phone 2004
  • Nortel, IP Phone 2007
  • Nortel, Meridian Option 11C
  • Nortel, Meridian Option 51C
  • Nortel, Meridian Option 61C
  • Nortel, Meridian Option 81C
  • Nortel, Meridian SL100
  • Nortel, Mobile Voice Client 2050
  • Nortel, Multimedia Communication Server 5100
  • Nortel, Multimedia Communication Server 5200
  • Nortel, WLAN Handset 2210
  • Nortel, WLAN Handset 2211
  • Nortel, WLAN Handset 2212
  • Nortel, WLAN Handset 6120
  • Nortel, WLAN Handset 6140

Remedy:

Refer to Nortel Technical Support Security Advisory Bulletin 2007008385 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Denial of Service

References:

  • COMPASS SECURITY ADVISORY: October, 18th 2007, IP Phone forced re-authentication at http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_forced_re-authentication_v1.0.txt.
  • Nortel Technical Support Security Advisory Bulletin 2007008385, DoS Potential Vulnerability - UNIStim IP Phone Forced to Re-register at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654641.
  • BID-26124: Nortel UNIStim IP Phone Remote Denial of Service Vulnerability
  • CVE-2007-5640: The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), Mobile Voice Client, and other product lines, allow remote attackers to block calls and force re-registration via a resume message to the Signaling Server that has a spoofed source IP address for the phone. NOTE: the attack is more disruptive if a new spoofed resume message is sent after each re-registration.
  • SA27234: Nortel Products Multiple Vulnerabilities

Reported:

Oct 17, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page