|
|
#################################################=0D
#=0D
# COMPASS SECURITY ADVISORY http://www.csnc.ch/=0D
#=0D
#################################################=0D
#=0D
# Product: OmniPCX Enterprise=0D
# Vendor: Alcatel=0D
# Subject: VoIP Phone Audio Stream Rerouting Vulnerability=0D
# Risk High=0D
# Effect Currently exploitable=0D
# Author: Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)=0D
# Date: November, 19th 2007=0D
#=0D
#################################################=0D
=0D
Introduction:=0D
-------------=0D
If a malicious user sends a TFTP request to the=0D
signaling server with the MAC address of the=0D
victim=92s VoIP phone as part of the file name, he=0D
is able to reroute only the audio stream coming=0D
from the other end of the call to his computers IP=0D
address.=0D
Even though an Alcatel VoIP phone can make or take=0D
calls, and send audio, it is prevented from hearing anything said at the other end of the=0D
communication. The VoIP phone needs to be rebooted=0D
manually in order to work again.=0D
=0D
This vulnerability may be further exploited by=0D
rerouting the audio stream to the victim=92s VoIP=0D
phone again. This would only allow the malicious=0D
user to eavesdrop on half of the victim's audio=0D
communication: what the victim says is not=0D
intercepted, only on the answers made by the other=0D
party would be overheard. Note, this scenario has=0D
not been verified.=0D
=0D
Vulnerable:=0D
-----------=0D
Alcatel OmniPCX Enterprise release 7.1 and earlier=0D
=0D
Not vulnerable:=0D
---------------=0D
Alcatel OmniPCX Enterprise release 8.0=0D
=0D
Vulnerability Management:=0D
-------------------------=0D
June 2007: Vulnerability found=0D
June 2007: Alcatel Security notified=0D
November 2007: Alcatel Advisory available=0D
November 2007: Alcatel Security Information=0D
=0D
Alcatel-Lucent information:=0D
---------------------------=0D
http://www1.alcatel-lucent.com/psirt/statements.htm=0D
Number 2007004=0D
=0D
Reference:=0D
http://www.csnc.ch/static/advisory/secadvisorylist.html=0D
=0D