N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

N1.2 CVE Entries

Asterisk

CVE-2006-2898, CVE-2006-4345, CVE-2006-4346, CVE-2006-5444

Cisco Call Manager

CVE-2006-0368, CVE-2006-3594

VoIP Phones

CVE-2005-3717, CVE-2005-3722, CVE-2005-3723, CVE-2006-0305, CVE-2006-0374, CVE-2006-0834, CVE-2006-5038

N1.3 How to Mitigate These VoIP Vulnerabilities

• Apply the vendor supplied patches for VoIP servers and phone software/firmware.


• Ensure that the operating system running the VoIP server is patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor.


• Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for keeping up the VoIP infrastructure.


• Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are not open to the Internet for RTP/RTCP communications.


• Disable all the unnecessary services on phones and servers (telnet, HTTP etc.)


• Use VoIP protocol fuzzing tools such as OULU SIP PROTOS Suite against the VoIP components to ensure the VoIP protocol stack integrity.


• Additional caution should be taken at the product selection phase to ensure the VoIP product vendor supports OS patches as they are released. Many VoIP vendors will void support for unapproved patches and may take considerable time before approving them.


• Apply separate VLANs to your voice and data network as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network.


• Change the default passwords on phones' and proxies' administrative login functions.

N1.4 References

Asterisk Vulnerabilities

http://www.asterisk.org/

http://archives.neohapsis.com/archives/bugtraq/2006-06/0139.html

http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0617.html

http://archives.neohapsis.com/archives/bugtraq/2006-10/0311.html

Cisco Unified Call Manager Vulnerabilities

http://www.cisco.com/en/US/products/products_security_advisory09186a00805e8a55.shtml

General VoIP Security Information VoIPSA Organization

http://www.voipsa.org

NIST Security Considerations for VoIP Systems

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf