A glitch in some vendors’ Session Initiation Protocol (SIP) software could leave SIP-enabled devices - such as IP phones, IP PBXs and instant messaging clients - vulnerable to denial-of-service attacks, the CERT Coordination Center said last week.
The Oulu University Secure Programming Group (OUSPG) discovered that when a certain SIP test suite (PROTOS c07-sip) is applied to SIP clients devices or proxy servers, it caused "impacts ranging from unexpected system behavior and denial of services to remote code execution," according to the CERT warning.
The vulnerably relates to the "invite" messages SIP devices send to each other to initiate sessions such as VoIP calls, text chat or video.
SIP is an emerging VoIP protocol used to establish sessions among SIP "agents," such as IP phones, softphones, text chat clients, and video applications. Industry observers have called text-based SIP the successor to the H.323 protocol, used widely in IP-based telephony and videoconferencing equipment. Vendors with IP PBX and phone products that use SIP include Alcatel SA, Avaya, Cisco Systems, Mitel Networks, Nortel Networks, Pingtel, Polycom, and Siemens AG. Microsoft Windows Messenger - a Web telephony, chat and video client included in Windows XP - also uses SIP.
According to CERT and Cisco’s Web site, Cisco’s 7940 and 7960 models of IP phones running SIP images prior to version 4.2 are vulnerable, as well as Cisco routers running Cisco IOS 12.2T and 12.2X. PIX firewalls running software versions with SIP support - beginning with version 5.2(1) and up to, but not including versions 6.2(2), 6.1(4), 6.0(4) and 5.2(9) - are also affected, Cisco says. Fixes to these products are available from Cisco’s Web site.
Microsoft says its SIP-based software is not affected by the vulnerability.
Nortel says its Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are affected by the vulnerability only when SIP-T has been enabled on the IP PBX products. Patches for these products are available at Nortel’s Web site.
Other vendors with SIP-based products have not posted comments on the CERT Coordination Center Web site.