A flaw found in hardware and software enabled for a new telephony protocol wouldn’t have affected New Zealand users of voice-over-IP technology, as the equipment isn’t yet in use in New Zealand.
The weakness in SIP (session initiation protocol)-enabled technology, discovered by Finland’s Oulu University Secure Programming Group last month and passed on to US alert service CERT, has so far only garnered responses from Cisco Systems and Nortel Networks that some of their equipment is vulnerable (see SIP weakness could expose VoIP gear to attacks and No problems yet from reported SIP vulnerability) SIP is an industry standard protocol for setting up multimedia telephony sessions, usually over the internet or another IP-based network.
According to CERT, “USPG’s most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying their PROTOS c07-sip test suite to a variety of popular SIP-enabled products, OUSPG discovered impacts ranging from unexpected system behaviour and denial of services to remote code execution.”
Nortel NZ managing director Rob Spray says Nortel has tested all its SIP-enabled products for the flaw. Bar two exceptions, they passed the OUSPG’s tests.
“The exceptions are the Succession Communication Server 2000 and the Succession Communication Server 2000 Compact,” he says. They’re affected by the test suite only where SIP-T has been provisioned within the Communication Server, he says.
Nortel was planning to have a patch available by the end of last month. Spray says the flaw will have no impact in New Zealand, as CSE 2000s aren’t likely to be deployed here until the second half of this year.
Cisco doesn’t currently have any SIP implementations in New Zealand, says Cisco NZ systems engineer Arron Scott.
“All currently deployed VoIP solutions are generally Call Manager-based, using SCCP, MGCP and H.323.”
The CERT advisory notes that overseas, Cisco’s 7490 and 7960 IP phones running pre-version 4.2 SIP images are vulerable, as are its routers running Cisco IOS 12.2T and 12.2x.
Internet pioneer Vint Cerf, visiting New Zealand last month, said SIP “will be a very critical protocol for setting parameters for devices to talk to each other”. Some commentators believe it will replace H.323 as the accepted standard for IP telephony and video-conferencing.
OUSPG plans to expand the PROTOS test suite as SIP becomes more widely deployed.