SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (VoIP)  >  Columbia SIP User Agent (sipc) Vendors:  SIP Communications, Inc.
Columbia SIP User Agent (sipc) SIP Protocol Bugs Let Remote Users Deny Service
SecurityTracker Alert ID:  1006167
SecurityTracker URL:  http://securitytracker.com/id?1006167
CVE Reference:  CVE-2003-1110   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Feb 25 2003
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.74
Description:  A vulnerability was reported in the Columbia Session Initiation Protocol (SIP) User Agent (sipc). A remote user may be able to cause denial of service on the IP telephony management software.

The Oulu University Secure Programming Group (OUSPG) and CERT (CA-2003-06) reported vulnerabilities in implementations of the Session Initiation Protocol (SIP), used for Voice over IP. OUSPG applied the PROTOS c07-sip test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/) against several vendor products to test the processing of the SIP INVITE message, used to set up sessions.

The vulnerabilities affect several vendor implementations. In general, the vulnerabilities may allow a remote user to gain access to the system or cause denial of service conditions. However, it is reported that for sipc, only denial of service conditions apply.

It is reported that sipc contains vulnerabilities in the processing of SIP INVITE messages. A remote user can cause the sipc process to send responses to invalid addresses. A remote user may also be able to cause sipc to hang by sending either fragmented or improperly formatted SIP INVITE messages to the target system.
Impact:  A remote user can cause denial of service conditions on the system.
Solution:  The vendor has released a fixed version (version 2.0, build 2003-02-21), available from kchin@sipcomm.com.
Vendor URL:  www.cs.columbia.edu/~xiaotaow/sipc/ouspg.html (Links to External Site)
Cause:  Boundary error, Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 25 Feb 2003 10:55:03 -0500
Subject:  Sipc

 

http://www.cs.columbia.edu/~xiaotaow/sipc/ouspg.html

Vulnerabilities Found by PROTOS SIP Test Suite

Summary

Sipc (version 1.74) contains vulnerabilities in the processing of Session Initiation Protocol (SIP)
INVITE messages. These vulnerabilities were identified by the University of Oulu Secure Programming
Group (OUSPG) "PROTOS" Test Suite for SIP and can be repeatedly exploited to produce a deni
al of
service. In sipc (version 2.0, build 2003-02-21), these vulnerabilities have been fixed.

Details

Sipc (version 1.74) fails on several test-groups of "PROTOS" Test Suite for SIP . The test 
cases
cause sipc sending responses to invalid addresses or hanging on mis-formatted or fragmented SIP
INVITE messages. These vulnerabilities have been resolved in sipc (verson 2.0, build 2003-02-21)
with adding stricter address checking and more robust error handling functions.

Obtaining fixed software

Please contact kchin@sipcomm.com for software upgrade for sipc (version 2.0, build 2003-02-21).


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC