Internet Telephony Product of the Year

SIP parsing error in Avaya one-X Desktop Edition may allow an attacker to disconnect it from the server and crash

Advisory Number: VIPER-2007-043
Release Date: 2007.06.19
Source: Sipera VIPER Lab
Systems Affected: Avaya one-X Desktop Edition SIP Soft Phone (version 2.1.0.70)
Category: Soft Phone Denial of Service
Severity: High

Overview

An implementation error in SIP message parsing module of Avaya one-X Desktop Edition SIP phone may allow a remote attacker to crash the phone.

Impact

Successfully sending a malformed message to the phone crashes the phone causing denial of service to user.

Description

Avaya one-X™ Desktop Edition, formerly Avaya SIP soft phone, transforms Windows-based PCs into SIP-based collaboration endpoints. A SIP header parsing error exists in Avaya one-X phone which may allow a remote attacker to cause the phone to enter in an error state causing it to display an error message meaning “Connection to server was lost. The phone will now exit. Please restart the phone”. Clicking OK on such message shuts down the phone and it must be restarted. Sending such messages to multiple phones may cause denial of service to several users.

Related Links

Phone SIP stack implementation should be patched to prevent exploiting such vulnerability.

Vendor Response:

Avaya: The official response for the one-X Desktop Edition vulnerabilities, ASA-2007-241, is posted at http://support.avaya.com/elmodocs2/security/ASA-2007-241.htm

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com

Unified Communications Unleashed
Sipera Systems is the worldwide market leader in solutions for the rapid and simple adoption of Unified Communications (UC). Thousands of users around the globe rely on Sipera to secure VoIP, IP video, collaboration, messaging and dozens of other high-performance applications. Sipera’s groundbreaking “Borderless UC” enables controlled communications to any device in any location.

Years of UC Security experience is contained in Sipera unified communications (UC-Sec) products. These appliances benefit from the research conducted by Sipera VIPER Lab to provide comprehensive threat protection, policy enforcement, access control, and privacy in a single, real-time appliance.

© Copyright 2006-2010 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, Sipera LAVA and Sipera VIPER and related services are trademarks of Sipera Systems, Inc.