Potentially serious vulnerability in a number of SIP endpoints
Sjur Usken and Sandro Gauci have discovered a major flaw in the SIP implementations on a wide range of IP phones. The short explanation is that the phones do not verify where a proxy authentication request is coming from and happily return the SIP authentication information. It is hashed and salted, but the salt is chosen by the attacker, so a set of rainbow tables would make cracking it trivial. For full details, check out Sjur’s blog post (which spread fairly rapidly around the VoIP world) and his latest post showing the trace as he attacked a Cisco 7940 I set up for this purpose.
Until the phone vendors release fixed firmware (if they do) the only way to defend yourself from this is to not have phones exposed on public IP addresses. If they have to be for some reason (we all know SIP and NAT really don’t get along, and proper SIP aware NAT devices cost a fair bit) set firewall rules that prevent the phones from speaking SIP to any IPs that aren’t part of your VoIP system. Alternatively, in the event that every single phone on your system is statically addressed, the reverse could be done at the registrar side. It wouldn’t stop the attackers from finding the password, but it would prevent them from using it in any way.
The implications of an attacker gaining the SIP authentication information are of course severe, once they have that they can imitate the attacked phone and make calls to any number of regions potentially costing thousands of dollars in the course of a single night.
