The UNIStim signalisation protocol is vulnerable against spoofed
re-authentication messages. A malicious user can send spoofed registration
messages to the server to which a UNIStim IP phone is connected. This can
force the legitimate IP phone into a situation where it must re-register
with the server to maintain service. A continuous stream of these messages
prevents the IP phone from properly registering.
Nortel has noted this as:
Title: DoS Potential Vulnerability - UNIStim IP Phone Forced to
Re-register
Follow the recommended actions for the affected systems, as identified in
the Nortel Advisory.
Technical Description:
----------------------
A malicious user can send a resume message to the signaling server to which
an IP phone is connected. The resume message is a UNIStim UDP datagram. In
order for the signaling server to detect which IP phone wants to resume
the
connection it reads the source IP address from the UDP datagram to identify
the client. That means we can send a spoofed resume UNIStim UDP datagram.
The server sends the new sequence number back to the IP phone. However,
because we spoofed the above message, we don't see the response. The effect
is that, the IP phone is out of sync with the server. During this time, the
IP phone can not take on or make any calls. As soon as the IP phone
realizes that it is out of sync (watchdog timeout
expired) it will re-authenticate against the signaling server. Note that if
the malicious user continues to send spoofed resume messages
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.