Improper error handling vulnerability in Aastra 9112i SIP phone may allow an attacker to cause denial of service

Overview

A message validation check flaw in Aastra 9112i SIP phone implementation may allow a remote attacker to freeze the phone causing denial of service.

Impact

Successful sending a malformed message to the phone causes the phone to be put out of service, causing denial of service to the user. Additionally, attacker can choose the exploit length to cause the phone to continuously ring unless it is rebooted.

Description

Aastra 9112i IP Phone supports IETF SIP standard to provide VoIP service to users. SIP stack used by Aastra 9112i is vulnerable to malformed SIP header value. If an attacker can send a malformed SIP message to the phone, the phone may become un-responsive permanently. Additionally, the phone may continuously ring with no way for the user to stop the ringing. In either case, the phone must be rebooted to recover from this state.

1. Cannot make calls: Once the malformed message is processed by the phone user cannot make further calls. Phone key-pad becomes un-responsive.

2. Cannot receive calls: Once the malformed message is processed by the phone the phone cannot receive further calls. It responds to Ping requests but when a call is made to the phone it does not respond. Network sniffing reveals that the phone sends a 100 Trying response to the legitimate INVITE message, but since the phone has only one line available the call does not complete.

The only way to recover from this state is to reboot the phone.

Solution

Phone SIP stack implementation should be patched to prevent exploiting such vulnerability.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com