Source: www.voip-news.com

Sipera System’s Sipera IPCS security appliances  now have advance security for SIP trunking. Sipera VIPER Engine also has upgraded security as well.

“Many enterprises today are embracing Unified Communications because they see it playing a key role in increasing the productivity of their organization. What some overlook, however, are the security issues that arise any time an enterprise application is connected to the Internet,” said Matthias Machowinski, Infonetics Research Directing Analyst, Enterprise Voice & Data. “In order to realize the benefits of UC without increasing security risks, enterprises need to add security to their infrastructure that protects against threats in real-time.”

Sipera execs agree.

“As companies extend Unified Communications beyond the enterprise perimeter to allow SIP trunking and mobility solutions, they require sophisticated and comprehensive security from a dedicated UC security provider,” said Eric Winsborrow, Chief Marketing Officer for Sipera Systems. “Sipera’s comprehensive UC security provides threat protection, policy enforcement, access control, and privacy measures, along with the ability to simplify the deployment of SIP trunks and mobile workspaces. Sipera IPCS threat protection is backed by the expertise of and ongoing signature updates from Sipera VIPER Lab to ensure complete protection in real-time.”

Source: snapvoip.blogspot.com

The Asterisk development team has released Asterisk version 1.4.17 which fixes SIP security issue, as well as a number of other bug fixes.

The SIP security issue is documented in the published security advisory, AST-2008-001. This issue only affects Asterisk 1.4. Asterisk 1.2 is not affected. Systems that do not use chan_sip are also not affected.

The security advisory is here in PDF format.

The release 1.4.17 is available for immediate download.

Source: snapvoip.blogspot.com

Sipera, the VoIP security firm that I saw first at BlackHat 2007 has warned VoIP firms before disclosing the vulnerabilities. There are multiple vulnerabilities, advisories and they are listed here.

The tests focused specifically of residential and SMB VoIP service and equipment. I was surprised to find strong authentication, signaling security, and media encryption were lacking, looks like everybody is following Microsoft. Get it Out there first and then we fix it as troubles jump up.

So what does these vulnerabilities do to users? spoofing, eavesdropping, and remote exploits are some of the possibilities.

I will write later today about what you should be looking in VoIP Security.

Following is the news release by Sipera;

Richardson, TX, October 23, 2007 – Sipera VIPER™ Lab, operated by Sipera Systems, the leader in comprehensive VoIP/UC security solutions, today disclosed multiple threat advisories for users of VoIP services and equipment from Vonage, Globe7 and Grandstream. Among other threats, unwitting VoIP users face eavesdropping, spam, spoofing and denial-of-service (DoS) attacks. Full details on these vulnerabilities are posted as an educational security service to Sipera’s customers and the general public at http://www.sipera.com/viper.

Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a “registration replay attack,” then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of “ringing the phone off the hook” which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.

“These vulnerabilities create serious privacy and service availability issues for users,” said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. “Vonage, Globe7 and Grandstream customers can no longer assume that their VoIP providers are automatically securing their services, but they should demand best security practices be followed as a condition of becoming a customer. Sipera VIPER Lab will continue to proactively identify VoIP threats and assist VoIP providers to implement best security practices before attacks occur.”

Sipera VIPER Lab also found issues with European provider Globe7’s online account access, as a result of utilizing unsecured connections and employing a weak encryption scheme. This allows hackers to access confidential name, password and account balance data, as well as steal VoIP service to make and receive calls, masked as a legitimate Globe7 user. Likewise, Sipera VIPER Lab established the Grandstream HandyTone-488 PSTN-to-VoIP adapter is vulnerable to buffer overflows and fragmented packet attacks. By sending a specially crafted SIP INVITE message to public IP addresses, attackers can disconnect legitimate Grandstream users.

Sipera VIPER Lab is comprised of experienced VoIP security researchers operating globally 24/7/365. Since its inception in 2003, Sipera VIPER Lab has identified thousands of vulnerabilities and security threats which include fuzzing, floods and distributed floods, spoofing, stealth attacks and spam. VIPER Lab research is used to continuously improve the Sipera IPCS products that protect, control and enable real-time unified communications for enterprises and service providers. Sipera VIPER Lab also recently launched a blog to discuss ongoing VoIP attacks and VoIP/UC vulnerabilities at http://www.sipera.com/viper/blog.

Source: snapvoip.blogspot.com

An eavesdropping vulnerability was revealed on the popularFull Disclosure mailing list on Wednesday. Vulnerabilityresearchers Humberto Abdelnur, Radu State and Olivier Festorclaimed the exploit could allow a remote attacker to turn aVoIP phone into an eavesdropping device, citing a GrandstreamSIP phone as an example.

While playing with the SIP  Madynes stateful fuzzerfor a description see http://hal.inria.fr/inria-00166947/en),we have realized that some SIP stack engines have seriousbugs allowing to an attacker to automatically make a remotephone accept the call without ringing and without asking theuser to  take the phone from the hook, such that the attackermight be able to listen to all conversations that take placein the remote room without being noticed.One example that wecan disclose (vendor was notified on 10 th May 2007) is thefollowing:  Grandstream SIP Phone GXV-3000

MADYNES Security Advisory :  SIP  remote attack onGrandstream SIP Phone GXV-3000

Date of Discovery 7 th May, 2007

ID: KIPH7

Background

SIP is the IETF standardized (RFCs 2543 and 3261) protocolfor VoIP signalization. SIP is an ASCII based INVITE messageis used to initiate and maintain a communication session.

Affected devices:  Grandstream SIP Phone GXV-3000 with latestavailable firmware  1.0.1.7  Loader-- 1.0.0.6   Boot--1.0.0.18

Impact :A malicious user can remotely eavesdrop (a remote location)and perform DOS on a remote phone.ResolutionFixed software will be available from the vendor and customersfollowing recommended best practices (ie segregating VOIPtraffic from data) will be protected from malicious trafficin most situations.

The vulnerability is based in a sequence of two messages,where both messages are syntactically right, but togetherthey turn the device in an inconsistent state, where theRTP is now send to the attacker/

ougui at 152.81.48.94:5060    is the attacker1005 at 152.81.48.88:5060    the attacked phone

            X ------ INVITE ------>GXV-3000            X ------ 100 Trying  ------> GXV-3000                          X ------ 180 Ringing ------> GXV-3000                          X ------183 Session Progress ------->GXV-3000            X ------ RTP - FLOW ------->GXV-3000 After these  messages the device is not able to hang up so aremote DOS can be also done. Credits:* Humberto J. Abdelnur (Ph.D Student)* Radu State (Ph.D)* Olivier Festor (Ph.D)Exploit Code :