Internet Telephony Product of the Year

SIP parsing error in Avaya one-X Desktop Edition may allow an attacker to disconnect it from the server and crash

Advisory Number: VIPER-2007-043
Release Date: 2007.06.19
Source: Sipera VIPER Lab
Systems Affected: Avaya one-X Desktop Edition SIP Soft Phone (version 2.1.0.70)
Category: Soft Phone Denial of Service
Severity: High

Overview

An implementation error in SIP message parsing module of Avaya one-X Desktop Edition SIP phone may allow a remote attacker to crash the phone.

Impact

Successfully sending a malformed message to the phone crashes the phone causing denial of service to user.

Description

Avaya one-X™ Desktop Edition, formerly Avaya SIP soft phone, transforms Windows-based PCs into SIP-based collaboration endpoints. A SIP header parsing error exists in Avaya one-X phone which may allow a remote attacker to cause the phone to enter in an error state causing it to display an error message meaning “Connection to server was lost. The phone will now exit. Please restart the phone”. Clicking OK on such message shuts down the phone and it must be restarted. Sending such messages to multiple phones may cause denial of service to several users.

Related Links

Phone SIP stack implementation should be patched to prevent exploiting such vulnerability.

Vendor Response:

Avaya: The official response for the one-X Desktop Edition vulnerabilities, ASA-2007-241, is posted at http://support.avaya.com/elmodocs2/security/ASA-2007-241.htm

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com

UC Security Defined
Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab, Sipera's solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance.

© Copyright 2010 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, SLiC, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.