Document ID: 571
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060802-sip
Revision 1.0
For Public Release 2006 August 2 16:00 UTC (GMT)
Contents
ResponseAdditional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures
Cisco Response
This is the Cisco PSIRT response to the statements made by Dave Endler and Mark Collier in their presentation, 'Hacking Voice over IP (VoIP) Exposed' at BlackHat USA 2006.
We would like to thank Dave Endler for reporting this issue to us.
We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.
This issue is currently being tracked by Cisco bug ID CSCse92417 (registered customers only) for IOS CallManager Express (CME).
Cisco CallManager has been tested and is not vulnerable to this attack.
Additional Information
The attacks described in the report attempt to manipulate the Session Initiation Protocol (SIP) stack in various voice products to gain information from the SIP user directory. By sending various SIP messages to the VoIP infrastructure, an attacker can discover the names of the users stored in the SIP user database.
It is important to note that the attacks described do not disrupt VoIP call processing or voice mail access.
Cisco's recommended best practice of implementing the VoIP infrastructure and data devices on separate VLANs would prevent malicious users from launching such attacks against the VoIP network.
Please consult the following links for other recommendations and guidelines for securing IP telephony networks:
- Enhanced Security for Unified Communications
http://www.cisco.com/en/US/netsol/ns340/ns394/ns165/ns391/networking_solutions_package.html - Cisco Unified Voice Security
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/5x/50scurty.html
Cisco was made aware of this issue on July 20, 2006. We are continuing to investigate this issue and will update this document as additional information becomes available.
Status of this Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Revision History
|
Revision 1.0 |
2006-August-02 |
Initial public release. |
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.