PGP SIGNED MESSAGE-----
CA-2003-06 Multiple vulnerabilities in implementations of the
Session Initiation Protocol (SIP)
release date: February 21, 2003
Last revised: --
revision history can be found at the end of this file.
products from a wide variety of vendors are affected.
Other systems making use of SIP may also be vulnerable but were not
specifically tested. Not all SIP implementations are affected. See
Vendor Information for details from vendors who have provided feedback
for this advisory.
to the vendors who provided feedback for this advisory, a
list of vendors whom CERT/CC contacted regarding these problems is
available from VU#528719.
vulnerabilities have been reported in multiple vendors'
implementations of the Session Initiation Protocol. These
vulnerabilities may allow an attacker to gain unauthorized privileged
access, cause denial-of-service attacks, or cause unstable system
behavior. If your site uses SIP-enabled products in any capacity, the
CERT/CC encourages you to read this advisory and follow the advice
provided in the Solution section below.
Initiation Protocol (SIP) is a developing and newly
deployed protocol that is commonly used in Voice over IP (VoIP),
Internet telephony, instant messaging, and various other applications.
SIP is a text-based protocol for initiating communication and data
sessions between users.
University Secure Programming Group (OUSPG) previously
conducted research into vulnerabilities in LDAP, culminating in CERT
Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03.
most recent research focused on a subset of SIP related to the
INVITE message, which SIP agents and proxies are required to accept
order to set up sessions. By applying the PROTOS c07-sip test suite
a variety of popular SIP-enabled products, the OUSPG discovered
impacts ranging from unexpected system behavior and denial of services
to remote code execution. Note that "throttling" is an expected
for the Session Initiation Protocol are available in
has established the following site with detailed documentation
regarding SIP and the implementation test results from the test suite:
Charter page for SIP is available at
of these vulnerabilities may result in denial-of-service
conditions, service interruptions, and in some cases may allow an
attacker to gain unauthorized access to the affected device. Specific
impacts will vary from product to product.
the mitigation steps recommended below may have significant
impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
a patch from your vendor
A contains information provided by vendors for this
advisory. Please consult this appendix and VU#528719 to determine
if your product is vulnerable. If a statement is unavailable, you
may need to contact your vendor directly.
the SIP-enabled devices and services
As a general
rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required. Some of the affected
products may rely on SIP to be functional. You should carefully
consider the impact of blocking services that you may be using.
As a temporary
measure, it may be possible to limit the scope of
these vulnerabilities by blocking access to SIP devices and
services at the network perimeter.
filtering manages the flow of traffic as it enters a
network under your administrative control. Servers are typically
the only machines that need to accept inbound traffic from the
public Internet. Note that most SIP User Agents (including IP
phones or "clien"t software) consist of a User Agent Client
User Agent Server. In the network usage policy of many sites, there
are few reasons for external hosts to initiate inbound traffic to
machines that provide no public services. Thus, ingress filtering
should be performed at the border to prohibit externally initiated
inbound traffic to non-authorized services. For SIP, ingress
filtering of the following ports can prevent attackers outside of
your network from accessing vulnerable devices in the local network
that are not explicitly authorized to provide public SIP services:
# Session Initiation Protocol (SIP)
sip 5060/tcp # Session Initiation Protocol (SIP)
sip 5061/tcp # Session Initiation Protocol (SIP) over TLS
consideration should be given to addresses of the types
mentioned above by sites planning for packet filtering as part of
their mitigation strategy for these vulnerabilities.
note that this workaround may not protect vulnerable devices
from internal attacks.
filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need
for machines providing public services to initiate outbound traffic
to the Internet. In the case of the SIP vulnerabilities, employing
egress filtering on the ports listed above at your network border
may prevent your network from being used as a source for attacks on
SIP requests directed to broadcast addresses at your router.
SIP requests can be transmitted via UDP, broadcast attacks
are possible. One solution to prevent your site from being used as
an intermediary in an attack is to block SIP requests directed to
broadcast addresses at your router.
A. - Vendor Information
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
are currently no applications shipped by Apple with Mac OS X
or Mac OS X Server which make use of the Session Initiation
products make use of SIP and thus no BorderWare
products are affected by this vulnerability.
products currently incorporate support for the SIP
protocol suite, and as such, are not vulnerable.
We would however like to extend our thanks to the OUSPG for their
work as well as for the responsible manner in which they handle
their discoveries. Their detailed reports and test suites are
We would also like to reiterate the fact that SIP has yet to
mature, protocol-wise as well as implementation-wise. We do not
recommend that our customers set up SIP relays in parallel to our
firewall products to pass SIP-based applications in or out of
networks where security is a concern of note.
does not have a SIP server product, and is therefore
not affected by this vulnerability.
to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable
because the relevant function is not supported under UXP/V.
not implemented as part of the AIX operating system.
does not do any SIP specific protocol handling and is
therefore not affected by the issues mentioned in the paper cited.
of SIP Express Router up to 0.8.9 are sadly vulnerable
to the OUSPG test suite. We strongly advice to upgrade to version
0.8.10. Please also apply the patch to version 0.8.10 from
before installation and keep on watching this site in the future.
We apologize to our users for the trouble.
Software Security Response Team
cross reference id: SSRT2402
- not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
potential security vulnerabilities in HP software, send
an E-mail message to: mailto:firstname.lastname@example.org
products are known to be affected by this vulnerability,
however we are still researching the issue and will update this
statement as needed.
has investigated these issues. The Microsoft SIP client
implementation is not affected.
NEC vendor statement for VU#528719
February 13, 2002
* EWS/UP 48 Series operating system
* - is NOT vulnerable, because it does not support SIP.
* IX 1000 / 2000 / 5000 Series
* - is NOT vulnerable, because it does not support SIP.
* We continue to check our products which support SIP protocol.
does not ship any implementation of SIP.
linux 2.4/2.5 netfilter implementation currently doesn't
support connection tracking or NAT for the SIP protocol suite, we
are not vulnerable to this bug.
is not vulnerable to this issue.
products are not affected by this vulnerability.
IP Security Platforms based on IPSO, Nokis Small Office
Solution platforms, Nokia VPN products and Nokia Message Protector
platform do not initiate or terminate SIP based sessions. The
mentioned Nokia products are not susceptible to this vulnerability
Networks is cooperating to the fullest extent with the CERT
Coordination Center. All Nortel Networks products that use Session
Initiation Protocol SIP) have been tested and all generally
available products, with the following exceptions, have passed the
Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in
configurations where SIP-T has been provisioned within the
Communication Server; a software patch is expected to be available
by the end of February.
information about Nortel Networks products please
contact Nortel Networks Global Network Support.
America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907
for other regions available at the Global Contact
<http://www.nortelnetworks.com/help/contact/global/> web page.
has no products implementing SIP.
Sidewinder nor Gauntlet implements SIP, so we do not need
to be on the vendor list for this vulnerability.
attest that SecureWorx Basilisk Gateway Security product
suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the
Session Initiation Protocol (SIP) Vulnerability VU#528719 as
described in the OUSPG announcement (OUSPG#0106) received on Fri, 8
Nov 2002 10:17:11 -0500.
StoneGate high availability firewall and VPN product
does not contain any code that handles SIP protocol. No versions of
StoneGate are vulnerable.
Corporation products are not vulnerable to this issue.
Symantec does not implement the Session Initiation Protocol (SIP)
in any of our products.
is aware of this vulnerability and is currently assessing all
products. This statement will be updated as new information becomes
B. - References
5. RFC3261 - SIP: Session Initiation Protocol
6. RFC2327 - SDP: Session Description Protocol
7. RFC2279 - UTF-8, a transformation format of ISO 10646
8. Session Initiation Protocol Basic Call Flow Examples
9. Session Initiation Protocol Torture Test Messages, Draft
Coordination Center thanks the Oulu University Secure
Programming Group for reporting these vulnerabilities to us, for
providing detailed technical analysis, and for assisting us in
preparing this advisory. We would also like to acknowledge the
"RedSkins" project of "MediaTeam Oulu" for their
support of this
on this document can be directed to the authors,
Jason A. Rafail and Ian A. Finlay.
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2003 Carnegie Mellon University.
Feb 21, 2003: Initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----