Vonage SIP servers vulnerable to registration replay attack

Overview

A weak authentication vulnerability in Vonage’s SIP server may allow an attacker to send spoofed REGISTER messages to the server. This is possible because authentication credentials sent to the server can be sniffed, copied, and replayed.

Impact

It may be possible for the attacker to hijack the registration to attacker chosen contact. Additionally, at transient locations, an IP address that was assigned to the legitimate Vonage subscriber may get assigned to an attacker’s machine allowing replay of registrations. Server may not challenge such registrations and attacker may be able to receive calls made to legitimate subscriber.

Description

In order to keep the Vonage service uninterrupted, the Vonage phone adapter sends a SIP REGISTER message every 20 seconds to the Vonage server. However, the server challenges only the initial REGISTER message that is sent from a new IP address assigned to the subscriber. Subsequent registrations are accepted without authentication. This may be exploited by an attacker who can replay a Vonage subscriber’s REGISTER message with spoofed IP address and send it to the server. Additionally, it is possible to change contents of the replayed REGISTER message before sending it to the server.

Solution

Registrar server should frequently change the nonce parameter and challenge subsequent REGISTER requests from the subscriber device even if coming from the same IP address. This will prevent the replayed REGIISTER messages from being accepted.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com