[VOIPSEC] VoIP-Phones: Weakness in proccessing

Geoff Devine gdevine at cedarpointcom.com
Fri Jul 22 06:22:13 CDT 2005 

Ari concluded:
>There is nothing new or special in this bug, it is just a quality
>assurance flaw that should have been tested away.
>
>/Ari
>
>PS: Update your SIP phone regularly!

 

...but...

My point is that SIP has enough complexity that you can't possibly test all possible permutations of messages and message sequences.  You've just taken an unsolvable problem and tossed it in the lap of your QA group.  Unless you insist on a well-defined SIP profile and filter messages that don't fit within that profile, you're always going to have a significant vulnerability to attacks by mal-formed SIP messages and sequences.  In the carrier-class cable voice space I live in, the certification process for a code image on a VoIP device takes many months.  Cable operators are going to be reluctant to take shotgun images from their vendors that risk creating millions of truck rolls when a bug in a new image turns that device into a doorstop.  This has happened with set-top boxes and that kind of mistake costs tens of millions of dollars.  Even worse, you can attack core facilities like media gateway controllers with mal-formed SIP messages and sequences.  That could end up denying service to everybody in the network, not just a small set of VoIP terminal devices.

 

Geoff



________________________________

From: Ari Takanen [mailto:art at codenomicon.com]
Sent: Thu 7/21/2005 8:03 PM
To: Geoff Devine
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing



Geoff,

Sorry I could not respond to your comment earlier. You said that all
permutations are impossible to test, which is of course true, but we
have to try. Both robustness tests and fuzzers are attempting to cover
all these unexpected inputs. Fuzzers are typically semi-random,
whereas robustness tests are more advanced, systematic and "smart".

One can start with the free robustness testing techniques introduced
by PROTOS in their SIP and H.323 test-suites. I hope all vendors are
using them by now. PROTOS provides the minimum baseline for
robustness. Also that PROTOS research shows that it is not only ascii
protocols that have these problems. Actually many binary protocols
described in ASN.1 have much more serious problems due to the freedom
of being able to describe about any types of structures with it.

PROTOS tests in SIP have been continued in our company, and
Codenomicon SIP Test Tool is constantly increasing the test coverage
in SIP. From the 4500 PROTOS tests, we are already beyond 100,000 test
cases for SIP. But the number of test cases is not important, it is
the coverage of the tools. You can have millions of redundant fuzzing
test cases and still not reach the coverage of PROTOS even.

It is good to finally notice that people looking for security flaws in
SIP are going beyond the robustness testing coverage of PROTOS! It has
been quite quiet after the release of PROTOS test-suite by CERT/CC.
There is lots of work quietly being done in the commercial companies
though. For example, our company is working with our commercial
customers to fix these issues without disclosing any of the found
flaws publicly. Nobody wants public attention to SIP weaknesses, and
it is in nobodys interest for the exploits to start spreading in VoIP
scene (except perhaps that might be the interest of the hackers).

There is nothing new or special in this bug, it is just a quality
assurance flaw that should have been tested away.

/Ari

PS: Update your SIP phone regularly!

On Fri, Jul 08, 2005 at 09:01:10AM -0400, Geoff Devine wrote:
> I'd point out that this kind of problem is the most glaring security
> weakness with SIP.  As a completely unstructured text-based
> protocol, you can't possibly test all permutations of SIP messages.

More information about the Voipsec mailing list