Original release date: February 21, 2003<BR> Last revised: Tue May 21 16:12:47 EST 2003<BR> Source: CERT/CC<BR> <P>A complete revision history can be found at the end of this file. <A NAME="affected"> <H3>Systems Affected</H3> <p>SIP-enabled products from a wide variety of vendors are affected. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See <a href="#vendors">Vendor Information</a> for details from vendors who have provided feedback for this advisory. <p>In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from <a href="http://www.kb.cert.org/vuls/id/528719">VU#528719</a>. <A NAME="overview"> <H2>Overview</H2> <P>Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause <A HREF="http://www.cert.org/tech_tips/denial_of_service.html">denial-of-service attacks</A>, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the <A HREF="#solution">Solution</A> section below. <A NAME="description"> <H2>I. Description</H2> <p>The Session Initiation Protocol (SIP) is a developing and newly deployed protocol that is commonly used in Voice over IP (VoIP), Internet telephony, instant messaging, and various other applications. SIP is a text-based protocol for initiating communication and data sessions between users. <p> The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in <a href="http://www.cert.org/advisories/CA-2001-18.html">CERT Advisory CA-2001-18</a>, and SNMP, resulting in <a href="http://www.cert.org/advisories/CA-2002-03.html">CERT Advisory CA-2002-03</a>. <p> OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying the <A HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/">PROTOS c07-sip test suite</A> to a variety of popular SIP-enabled products, the OUSPG discovered impacts ranging from unexpected system behavior and denial of services to remote code execution. Note that "throttling" is an expected behavior.</p> <p>Specifications for the Session Initiation Protocol are available in RFC3261: <blockquote> <a href="http://www.ietf.org/rfc/rfc3261.txt">http://www.ietf.org/rfc/rfc3261.txt</a> </blockquote> <p>OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: <blockquote> <a href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/">http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/</a> </blockquote> <p>The IETF Charter page for SIP is available at <blockquote> <a href="http://www.ietf.org/html.charters/sip-charter.html">http://www.ietf.org/html.charters/sip-charter.html</a> </blockquote> <A NAME="impact"> <H2>II. Impact</H2> Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. <A NAME="solution"> <H2>III. Solution</H2> <p>Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability.</p> <H4>Apply a patch from your vendor</H4> <blockquote> <P><A HREF="#vendors">Appendix A</A> contains information provided by vendors for this advisory. Please consult this appendix and <a href="http://www.kb.cert.org/vuls/id/528719#systems">VU#528719</a> to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. </blockquote> <h4>Disable the SIP-enabled devices and services</h4> <blockquote> <p> As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. </p> </blockquote> <p> <h4>Ingress filtering</h4> <blockquote> As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. <p> Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SIP, ingress filtering of the following ports can prevent attackers outside of your network from accessing vulnerable devices in the local network that are not explicitly authorized to provide public SIP services: <p> <blockquote> <font face="courier"><small> sip 5060/udp # Session Initiation Protocol (SIP)<br> sip 5060/tcp # Session Initiation Protocol (SIP)<br> sip 5061/tcp # Session Initiation Protocol (SIP) over TLS<br> </small></font> </blockquote> <p> <p>Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities.</p> <P> <p> Please note that this workaround may not protect vulnerable devices from internal attacks. </blockquote> <h4>Egress filtering</h4> <blockquote> Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. </blockquote> <H4>Block SIP requests directed to broadcast addresses at your router.</H4> <blockquote> Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. </blockquote> <A NAME="vendors"> <H2>Appendix A. - Vendor Information</H2> <P>This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.</P> <!-- begin vendor --> <a name="alcatel"> <h4>Alcatel</h4> <p> <blockquote> Following CERT advisory CA-2003-06 on security vulnerabilities in SIP implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the OmniPCX Enterprise 5.0 Lx is impacted. Alcatel is currently working on a fix that will be made available via our business partners. Customers may wish to contact their support for more information. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential SIP security vulnerabilities and will provide updates if necessary. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="aol"> <h4>America Online Inc</h4> <p> <blockquote> Not vulnerable. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="apple"> <h4>Apple Computer Inc.</h4> <p> <blockquote> There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="avaya"> <h4>Avaya</h4> <p> <blockquote> Avaya products are not vulnerable. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="Borderware"> <h4>Borderware</h4> <p> <blockquote> No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="checkpoint"> <h4>Check Point</h4> <p> <blockquote> No Check Point products are vulnerable to the described attacks. FireWall-1 blocks the majority of the attacks described in this advisory through strict enforcement of the SIP protocol. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="cirpack"> <h4>Cirpack</h4> <p> <blockquote> Cirpack Switches <<a href="http://www.cirpack.com/products/">http://www.cirpack.com/products</a>> deployed by telecom service providers for carrier-class SIP voice services are not vulnerable to problem described in VU#528719 as of software version = 4.3c. If your Cirpack switches use earlier software version, please contact your Cirpack account manager. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="cisco"> <h4>Cisco Systems</h4> <p> <blockquote> Cisco Systems is addressing the vulnerabilities identified by VU#528719 across its entire product line. Cisco has released an advisory: <br><br> <a href="http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml</a> </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="clavister"> <h4>Clavister</h4> <p> <blockquote> No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. <br><br> We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. <br><br> We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="sipc"> <h4>Columbia SIP User Agent (sipc)</h4> <p> <blockquote> Sipc (version 1.74) contains vulnerabilities identified by <a href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/"> OUSPG PROTOS SIP Test Suite</a>. The vulnerabilities have been resolved in sipc (version 2.0, build 2003-02-21). Please see <a href="http://www.cs.columbia.edu/~xiaotaow/sipc/ouspg.html"> sipc (version 1.74) vulnerabilities found by PROTOS SIP Test Suite</a> for detailed information. We strongly advice to upgrade to sipc version 2.0, which is much more stable, has much better user interface and can perform more functions. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="dynamicsoft"> <h4>Dynamicsoft Inc.</h4> <p> <blockquote> Please see <a href="http://www.dynamicsoft.com/support/advisory/ca-2003-06.php">http://www.dynamicsoft.com/support/advisory/ca-2003-06.php</a>. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="f5"> <h4>F5 Networks</h4> <p> <blockquote> F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="foundrynet"> <h4>Foundry Networks, Inc.</h4> <p> <blockquote> Foundry Networks, Inc. products do not use the SIP protocol and is not affected by the vulnerabilities described in CA-2003-06. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="Fujitsu"> <h4>Fujitsu</h4> <p> <blockquote> With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="hp"> <h4>Hewlett-Packard Company</h4> <p> <blockquote> Source:<br> Hewlett-Packard Company<br> Software Security Response Team<br> <br><br> cross reference id: SSRT2402<br> <br><br> HP-UX - not vulnerable<br> HP-MPE/ix - not vulnerable<br> HP Tru64 UNIX - not vulnerable<br> HP OpenVMS - not vulnerable<br> HP NonStop Servers - not vulnerable<br> <br><br> To report potential security vulnerabilities in HP software, send an E-mail message to: <a href="mailto:security-alert@hp.com">mailto:security-alert@hp.com</a> </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="hotsip"> <h4>Hotsip AB</h4> <p> <blockquote> Hotsip has investigated the issues reported in VU#528719 and found that Hotsip Active Contacts(tm) PC 3.x, SIP Application Server 3.x and Presence Engine 2.x are not affected by this. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="hughes_systems"> <h4>Hughes Software Systems</h4> <p> <blockquote> SIP Core stack - Not Vulnerable [ Version : 5.0.1 ] SIP User Agent - Not Vulnerable [ Version : 2.0 ] microSIP stack - Not Vulnerable [ Version: 2.0 ] microUser Agent - Not Vulnerable [ Version: 2.0 ] </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="ibm"> <h4>IBM</h4> <p> <blockquote> SIP is not implemented as part of the AIX operating system. <br> <br> The issues discussed in VU#528719 do not pertain to AIX. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="ibm_z-series"> <h4>IBM zSeries</h4> <p> <blockquote> zSeries customers should feel free to contact servsec@us.ibm.com with any CERT related security questions or concerns. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="indigosw"> <h4>Indigo Software</h4> <p> <blockquote> Indigo Software certifies that its Indigo SIP Foundation Class, Indigo SIP Server & SDK and Indigo Communications Server & SDK products are NOT VULNERABLE to DoS and other attacks simulated by the PROTOS Vulnerability Assessment Test Suite. For more information, please refer to <a href="http://www.indigosw.com/html/cert_advisory.htm">http://www.indigosw.com/html/cert_advisory.htm</a> </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="ingate"> <h4>Ingate Systems</h4> <p> <blockquote> Ingate Firewall and Ingate SIParator running versions prior to 3.1.3 are vulnerable to problems exposed by the PROTOS c07-sip test suite. The vulnerabilities have been fixed in version 3.1.3, which is available for download from <a href="http://www.ingate.com/upgrades/">http://www.ingate.com/upgrades/</a>. We strongly advice to upgrade to version 3.1.3. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="intoto"> <h4>Intoto</h4> <p> <blockquote> Intoto, Inc has examined its SIP based product iGateway-VoIP Ver 1.0.1, for possible buffer overflow vulnerabilities documented in VU#528719, and found that iGateway-VoIP is not vulnerable to these attacks. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="ipf"> <h4>IP Filter</h4> <p> <blockquote> IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="iptel"> <h4>IPTel</h4> <p> <blockquote> All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from <a href="http://www.iptel.org/ser/security/">http://www.iptel.org/ser/security/</a><br> before installation and keep on watching this site in the future. We apologize to our users for the trouble. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="juniper"> <h4>Juniper Networks</h4> <p> <blockquote> Juniper Networks products are not SIP-aware, and neither generate, process, nor act as a proxy for SIP protocol messages. Therefore, Juniper Networks products are not susceptible to this vulnerability. <br> <br> Customers wishing to use the packet filtering features of Juniper Networks products to block SIP protocol messages can visit the Juniper Networks product support web-site at <a href="https://www.juniper.net/support/csc/">https://www.juniper.net/support/csc/</a> or they can contact Juniper's Technical Assistance Center by telephone at at 1-888-314-JTAC (U.S. customers only; non-U.S. customers should call JTAC at +1 408-745-9500.) </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="lucent"> <h4>Lucent</h4> <p> <blockquote> No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="mediatrix"> <h4>Mediatrix Telecom, Inc.</h4> <p> <blockquote> Tests developed by the University of Oulu and performed by Mediatrix Telecom Inc on Mediatrix VoIP Access Devices and Gateways have uncovered vulnerabilities, as per CERT vulnerability note VU#52789, that will be eliminated through software patches with the following availabilities: <ul> <li> By March 21 for Mediatrix units running the SIPv2.4 firmware. <li> By April 11 for Mediatrix units running the SIPv4.3 firmware. </ul> <p>Additional information on Mediatrix Telecom Inc products are available at <a href="http://www.mediatrix.com">www.mediatrix.com</a> </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="microsoft"> <h4>Microsoft Corporation</h4> <p> <blockquote> Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="nec"> <h4>NEC Corporation</h4> <p> <blockquote> =====================================================================<br> NEC vendor statement for VU#528719<br> =====================================================================<br> <br><br> sent on May 20, 2003 <br><br> [Server Products] <ul> <li> EWS/UP 48 Series operating system <ul> <li> is NOT vulnerable, because it does not support SIP. </ul> </ul> [Router Products] <ul> <li> IX 1000 / 2000 / 5000 Series <ul> <li> is NOT vulnerable, because it does not support SIP. </ul> </ul> [Other Network products] <ul> <li>CX6820 Call Service Server Series (CA/SS/MD) V2.2 <ul> <li> is NOT vulnerable. </ul> <li> CX7620-VG Media Server <ul> <li> is NOT vulnerable. </ul> </ul> <ul> <li>We continue to check our products which support SIP protocol. </ul> =====================================================================<br> </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="NETBSD"> <h4>NETBSD</h4> <p> <blockquote> NetBSD does not ship any implementation of SIP. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="netfilter"> <h4>NETfilter.org</h4> <p> <blockquote> As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="netscreen"> <h4>NetScreen</h4> <p> <blockquote> NetScreen is not vulnerable to this issue. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="network_appliance"> <h4>Network Appliance</h4> <p> <blockquote> NetApp products are not affected by this vulnerability. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="nokia"> <h4>Nokia</h4> <p> <blockquote> Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="nortel"> <h4>Nortel Networks</h4> <p> <blockquote> Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: <br><br> Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. <br><br> For further information about Nortel Networks products please contact Nortel Networks Global Network Support.<br><br> North America: 1-800-4-NORTEL, or (1-800-466-7835)<br> Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009<br> <br> Contacts for other regions available at the Global Contact <<a href="http://www.nortelnetworks.com/help/contact/global/">http://www.nortelnetworks.com/help/contact/global/</a>> web page. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="novell"> <h4>Novell</h4> <p> <blockquote> Novell has no products implementing SIP. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="pingtel"> <h4>Pingtel Corporation</h4> <p> <blockquote> Pingtel has verified that the current versions of software for the Pingtel xpressa desk phone and instant xpressa softphone products, Release 2.1.6, are not vulnerable to any of the tests developed by the University of Oulu and described in CERT Vulnerability Note VU#528719. </p> <p> Pingtel strongly encourages its customers to use Version 2.1.6. Existing customers may upgrade to this software, free of charge. This software is available at <a href="http://www.pingtel.com/s_upgrades.jsp">http://www.pingtel.com/s_upgrades.jsp</a>. While the process of updating software for xpressa and instant xpressa can take a phone out of service for two minutes, Pingtel recommends that customers make the effort to stay current, if they aren't already, by upgrading to Version 2.1.6 now. Earlier software revisions are vulnerable, making the use of any release prior to 2.1.6 inadvisable. </p> <p> Customers that have any questions or concerns are welcome to contact the Pingtel Technical Assistance Center at any time by calling 781-938-5306, emailing <a href="mailto:support@pingtel.com">support@pingtel.com</a>, or going online at <a href="http://www.pingtel.com/support.jsp">http://support.pingtel.com</a>. Emergency cases are always handled 24 x 7 x 365. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="secure_computing"> <h4>Secure Computing Corporation</h4> <p> <blockquote> Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="SecureWorx"> <h4>SecureWorx</h4> <p> <blockquote> We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="Stonesoft"> <h4>Stonesoft</h4> <p> <blockquote> Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="symantec"> <h4>Symantec</h4> <p> <blockquote> Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products. </blockquote> </p> <!-- end vendor --> <!-- begin vendor --> <a name="Xerox"> <h4>Xerox</h4> <p> <blockquote> Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. </blockquote> </p> <!-- end vendor --> <a name="references"> <H2>Appendix B. - References</H2> <OL> <li><a href="http://www.ee.oulu.fi/research/ouspg/protos/">http://www.ee.oulu.fi/research/ouspg/protos/</A> <li><a href="http://www.kb.cert.org/vuls/id/528719">http://www.kb.cert.org/vuls/id/528719</A> <li><a href="http://www.cert.org/tech_tips/denial_of_service.html">http://www.cert.org/tech_tips/denial_of_service.html</A> <li><a href=" http://www.ietf.org/html.charters/sip-charter.html">http://www.ietf.org/html.charters/sip-charter.html</A> <li><a href="http://www.ietf.org/rfc/rfc3261.txt">RFC3261 - SIP: Session Initiation Protocol</a> <li><a href="http://www.ietf.org/rfc/rfc2327.txt">RFC2327 - SDP: Session Description Protocol</a> <li><a href="http://www.ietf.org/rfc/rfc2279.txt">RFC2279 - UTF-8, a transformation format of ISO 10646</a> <li> <a href="http://www.ietf.org/internet-drafts/draft-ietf-sipping-basic-call-flows-01.txt">Session Initiation Protocol Basic Call Flow Examples </a> <li> <a href="http://www.ietf.org/internet-drafts/draft-ietf-sipping-torture-tests-00.txt">Session Initiation Protocol Torture Test Messages, Draft </a> </OL> <p> <A NAME="thanks"> <HR NOSHADE> <p>The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analysis, and for assisting us in preparing this advisory. We would also like to acknowledge the <a href="http://www.mediateam.oulu.fi/projects/info/redskins/?lang=en">"RedSkins"</a> project of "MediaTeam Oulu" for their support of this research. <p> <HR NOSHADE> <P>Feedback on this document can be directed to the authors, <A HREF="mailto:cert@cert.org?subject=CA-2003-06%20Feedback%20VU%23528719">Jason A. Rafail and Ian A. Finlay</A>. <P></P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 2003 Carnegie Mellon University.</P> <P>Revision History <pre> Feb 21, 2003: Initial release Feb 21, 2003: Added Cisco vendor statement Feb 21, 2003: Corrected IBM vendor statement Feb 21, 2003: Added Juniper Networks vendor statement Feb 24, 2003: Added IBM zSeries vendor statement Feb 25, 2003: Added Columbia SIP User Agent (sipc) vendor statement Feb 25, 2003: Revised Columbia SIP User Agent (sipc) vendor statement Feb 25, 2003: Added Hotsip AB vendor statement Feb 25, 2003: Added Avaya vendor statement Feb 27, 2003: Added Dynamicsoft Inc. vendor statement Mar 06, 2003: Added Check Point vendor statement Mar 06, 2003: Added Alcatel vendor statement Mar 07, 2003: Added Ingate Systems vendor statement Mar 07, 2003: Added Pingtel Corporate vendor statement Mar 12, 2003: Updated HotSIP AB vendor statement Mar 13, 2003: Added Cirpack vendor statement Mar 24, 2003: Added Intoto vendor statement Mar 24, 2003: Updated Pingtel Corporate vendor statement Mar 25, 2003: Added Foundry Networks, Inc. vendor statement Apr 01, 2003: Added Indigo Software vendor statement Apr 14, 2003: Updated NEC vendor statement Apr 14, 2003: Added Hughes Software Systems vendor statement May 09, 2003: Added Mediatrix Telecom, Inc. vendor statement May 21, 2003: Updated NEC vendor statement </pre> |