CONTACT SALES
Internet Telephony Product of the Year

Sipera VIPER Lab Identifies AOL, Avaya, MSN and Nortel VoIP Phone Vulnerabilities

Vulnerabilities Expose Users to DoS, Disablement, Call Degradation, Call Hijacking and Other Exploits and Interruptions

Richardson, TX, June 19, 2007 – Sipera VIPER™ Lab, operated by Sipera™ Systems, the leader in pure security for VoIP, mobile and multimedia communications, today disclosed seven threat advisories, and potential solutions, for SIP-based soft phones from AOL®, Avaya, MSN® and Nortel™, and four advisories for Avaya SIP-based hard phones. These threat advisories are in addition to previous VoIP hard phone, WiFi/dual-mode phone and general SIP vulnerabilities published this year by Sipera VIPER Lab. Vulnerabilities are posted at http://www.sipera.com/viper as an educational security service to Sipera’s customers and the general public.

The major threat advisories that affect these VoIP soft phones include:

  • Resource exhaustion and buffer overflow attack vulnerabilities in some AOL Instant Messenger voice clients, which might cause denial of service and may allow a remote attacker to crash the IM and voice client.
  • A buffer overflow vulnerability and a SIP parsing error in Avaya one-X™ Desktop Edition SIP soft phones, potentially allow a remote attacker to partially disable the phone, disconnect it from the server and crash the phone.
  • A resource exhaustion attack vulnerability in some Microsoft® MSN Messenger voice chat clients, which might cause denial of service.
  • A buffer overflow vulnerability and an improper message parsing vulnerability in Nortel Networks PC Client SIP soft phones, which may allow a remote attacker to crash the phone.

Sipera VIPER Lab also announced additional VoIP hard phone advisories for Avaya 4602SW SIP phones, which are vulnerable to server impersonation, accepting SIP requests from random source IP addresses, open UDP port flooding and RTP port flooding. These vulnerabilities can expose the phones to call hijacking, malicious messaging, denial of service, and voice quality degradation.

“Soft phones provide great flexibility for communications but are very vulnerable to attacks. These not only pose threats to the VoIP system but also to the computing and network environments,” said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. “Left unaddressed, these vulnerabilities can disrupt critical business and personal voice communications, negating the many advantages to VoIP. Sipera works with its customers and vendors to address these threats before they become a major issue.”

Sipera VIPER Lab proactively identifies VoIP/unified communication threats, and is comprised of experienced VoIP security researchers operating 24/7/365 from Richardson, Texas, and Hyderabad, India. Since its inception in 2003, Sipera VIPER Lab has identified thousands of potential security threats and vulnerabilities which include fuzzing, floods and distributed floods, spoofing, stealth attacks and spam. VIPER Lab research is used to continuously improve the Sipera IPCS products that enable, control and protect real-time unified communications for enterprises and service providers.

About Sipera Systems
Sipera Systems provides enterprises and service providers with comprehensive VoIP security solutions that protect, control and manage real-time unified communications. The Sipera IPCS™ products combine VPN, Firewall/SBC, Intrusion Prevention, Anti-Spam, Compliance and Troubleshooting functionality for VoIP systems in a single device. This securely enables IP PBXs, VoIP remote users, SIP trunks, data/voice VLANs, hosted VoIP services and IMS or UMA-based networks. Comprised of top vulnerability research experts, the Sipera VIPER™ Lab concentrates its efforts towards identifying VoIP vulnerabilities, while Sipera LAVA™ tools verify networks’ readiness to resist attacks. Founded in 2003, and backed by Sequoia Capital, Austin Ventures and Star Ventures, Sipera is headquartered in Richardson, TX. Visit http://www.sipera.com.

Sipera, Sipera logo, Sipera IPCS, Sipera IPCS 210, Sipera IPCS 310, Sipera IPCS 410, Sipera IPCS 510, Sipera IPCS 520, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc. All other companies and products listed herein are trademarks or registered trademarks of their respective holders.

Media Contacts:
Larry Bouchie, KMC Partners Public Relations, 617-758-4192, larry@kmcpartners.com

Brendan Ziolo, Sipera Systems, 214-606-1080, bziolo@sipera.com

UC Security Defined
Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab, Sipera's solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance.

© Copyright 2010 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, SLiC, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.