VoIPshield Laboratories made its third announcement of security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel. Vulnerabilities were also discovered in Microsoft’s VoIP products, and these will be announced next month. Under VoIPshield’s disclosure policy, vendors may request extra time to create and test patches for their applications.
Discovered vulnerabilities include:
Nortel Multimedia Communications Server 5100 Call Spoofing and Redirection
Due to a lack of verification of credentials when calls are being placed it is possible to cause calls on the MCS 5100 to either be placed as if they originate from a given user when they are not, or that they are placed to a given user when they are not.
Nortel Multimedia Communications Server 5100 IP Client Manager UNIStim File Transfer Protocol – Connection Details
Within some Nortel products, notable the MCS 5100, UNIStim File Transfer Protocol (UFTP) is used. UFTP is a proprietary file transfer protocol, which is transported over UNIStim control channel over Reliable UDP. Due to flaws within the handling of UFTP messages it is possible to cause a number of different Denial of Service (DoS) attacks against the affected equipment by manipulating values in Connection Details fields.
Avaya Communication Manager Web Administration Interface – Privilege Elevation Vulnerability
By exploiting vulnerabilities within the web administration interface within a POST command it is possible to perform a variety of actions. By exploiting a vulnerability within the Set Static Routes configuration it is possible to inject commands which will be executed with root privileges.
Avaya Communication Manager Web Administration Interface – Code Execution Vulnerability
By exploiting vulnerabilities within the web administration interface within a POST command it is possible to perform a variety of actions. By exploiting a vulnerability within the Backup History it is possibleto inject commands which will be executed as the logged in user.
Avaya Communication Manager Unauthorized Web Access
By exploiting misconfigurations in the web server on the Communication Manager it is possible to retrieve information or files which an unauthenticated user should not be able to.
Avaya one-X Desktop Edition Session Initiation Protocol Denial of Service
By exploiting a flaw on the Avaya one-X Desktop Edition SIP softphone is it possible to cause a Denial of Service (DoS) against the individual softphone. No authentication is required to perform this DoS.
Avaya IP Softphone H.323 Denial of Service
One of the IP SoftphoneÃ‚Â ports is vulnerable to a Denial of Service (DoS) attack when sent a large amount of data.
Cisco Unity Reports Information Disclosure
The reports section in the shared directory of the Unity server exposes information to all domain users without verifying whether they are Unity users or even the users for whom certain information has been generated.
Cisco Unity Multiple Denial of Service Vulnerabilities
Several services on Unity listen on dynamic UDP ports. Of these services a number are vulnerable to a Denial of Service (DoS) when sent crafted packets.
Cisco Unity Session Exhaustion Denial of Service
Session management on the Unity server appears to be restricted and this allows a malicious user to use up all available sessions denying access to a legitimate administrator. Restoring the ability for new sessions to be established requires a complete system reboot, since simply restarting the default website is insufficient.
Cisco Unity Stored Cross-Site Scripting Vulnerability
While attempts have been made to restrict the ability to perform Cross-Site Scripting attacks against Unity, it is possible to store the script to be executed in the data store in order to cause it to be executed when the next administrator logs in and accesses a page relying on this stored information.
Cisco Unity Authentication Bypass
The native Unity authentication implemented on the web interface can bypassed to gain unauthorized access to a variety of resources.
The first time you attempt connecting to any of the specific links you are redirected to the authentication page. However, any subsequent attempts are then successful even without having entered valid login credentials resulting in either the ability to view information or edit the configuration.