SIP vulnerability found by PROTOS test suite
Per Cederqvist
ceder@ingate.com
24 Feb 2003 17:05:16 +0100
On February 21, 2003 CERT/CC released "CERT Advisory CA-2003-06
Multiple vulnerabilities in implementations of the Session Initiation
Protocol (SIP)". We have now tested Ingate Firewall version 3.1.1,
and found that it is vulnerable to the problem if the SIP relay is
active.
The PROTOS test suite contains 4526 different test cases. Some of the
test cases cause the SIP module in the Ingate Firewall to crash. This
will cause all SIP registrations and all on-going SIP sessions to be
lost. We do not yet know if execution of arbitrary code is possible
due to this problem.
It is likely that all versions of Ingate Firewall and Ingate SIParator
are vulnerable.
If you set the "SIP relay" setting to "Inactive" on the "SIP Relay"
the firewall is no longer vulnerable to attacks based on the PROTOS
test suite. However, you will also be unable to use SIP.
We will release a fix for this problem as soon as possible. When a
fix is available, a new announcement will be made to the productinfo
mailing list.
References:
CERT advisory:
http://www.cert.org/advisories/CA-2003-06.html
PROTOS test suite:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html
--
Per Cederqvist <ceder@ingate.com>, Director Development, Ingate Systems AB