Cisco, Nortel Fixing Vulnerability In VoIP Products


Cisco Systems and Nortel Networks are issuing fixes for some of their IP telephony products to protect against possible exposure to denial-of-service attacks.

The patches come in response to an alert issued Friday by the CERT Coordination Center, a Pittsburgh-based research and development center that tracks Internet security problems. The alert describes multiple vulnerabilities in some implementations of Session Initiation Protocol (SIP), an emerging IP communications protocol.

SIP, used in voice-over-IP, Internet telephony and instant messaging, is a text-based signaling protocol used for opening communications and data sessions between devices.

Testing by the Oulu University Secure Programming Group on a variety of SIP implementations revealed vulnerabilities in the protocol's "Invite" message, which SIP agents and proxies are required to accept in order to set up sessions, CERT said.

If exploited, the vulnerabilities could result in denial of service, service interruptions or unauthorized access to the affected device, according to CERT's advisory.

Not all SIP implementations are affected, and specific impacts will vary from product to product, CERT said.

Dennis Gorecki, marketing manager at Burr Ridge, Ill.-based Data Comm Networking, said he is still reviewing the advisory, so it is too early to tell how significant the SIP vulnerability could be to the solution provider's customer base.

Data Comm Networking sells Cisco's lineup of IP telephony products but does not sell the Nortel products impacted by the vulnerability.

In general, concerns from customers about the security of IP telephony implementations are minimal, Gorecki said.

"There's not a lot [of concern], but there are some places that are still looking to avoid using a single pipe for both voice and data," he said.

Cisco, Nortel and other vendors responded to the advisory on CERT's Web site.

Cisco said impacted products include models 7940 and 7960 of its IP phones running SIP images prior to version 4.2, routers running Cisco IOS 12.2T and 12.2 'X' trains, and PIX firewalls running software versions with SIP support beginning with version 5.2(1) but not including versions 6.2(2), 6.1(4), 6.0(4) and 5.2(9).

Fixes are available through Cisco's Web site.

Nortel's impacted products include Succession Communication Server 2000 and Succession Communication Server-Compact softswitches, but only in IP-PBX configurations where SIP-T has been provisioned.

The vendor expects to release a software patch by the end of the week.

Microsoft said its SIP client implementation is not affected.

Other IP telephony players such as 3Com, Alcatel, Avaya and Siemens did not provide comment to CERT regarding the advisory.