copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2003.0123 -- @stake Security Advisory -- Nokia 6210 DoS SMS Issue

Date: 26 February 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                 ESB-2003.0123 -- @stake Security Advisory
                         Nokia 6210 DoS SMS Issue
                             26 February 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Nokia 6210
Vendor:                 @stake, Inc.
Impact:                 Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                              @stake, Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: Nokia 6210 DoS SMS Issue
 Release Date: 02/25/2003
  Application: Nokia 6210
     Platform: Nokia 6210
     Severity: An attacker is able to cause a 6210 to crash
       Author: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Vendor has supplied attack recovery procedure
CVE Candidate: CVE Candidate number applied for
    Reference: www.atstake.com/research/advisories/2003/a022503-1.txt


Overview:

        Nokia's (http://www.nokia.com) 6210 handset is a cellular
ME designed for business users supporting GSM and HSCSD, data
services and vCard extensions to SMS. VCards are common attachments
used for exchanging address book information between parties which
support RFC2426 (http://www.faqs.org/rfcs/rfc2426.html). This
includes products from Microsoft, Netscape and Lotus (although these
products are not affected by this advisory).

There is a vulnerability which allows an attacker to send a malicous
vCard to a handset, causing to crash in one of three ways.

This is a good example of why all newly introduced product
functionality should be reviewed to ensure that no new security
vulnerabilities will also be introduced. A cursory souce code
audit would find an error of this type.


Details:

There is a format string vulnerability in the processing of Multi-
Part vCards.  When the phone receives vCard fields containing many
format string characters the phone will crash in one of 3 ways:

        - SMS Receiver handler will die
        - Phone will lock up, requiring battery to be removed
        - Phone will automatically restart


Vendor Response:

        Response to the security advisory "Nokia 6210 DoS SMS Issue"
submitted by @stake Inc. in January 2003:

Some users of the Nokia 6210 may potentially experience an error when
someone deliberately sends a specially created non-standard Business
Card-text message to the phone. The error causes the Nokia 6210 to
either a) crash b) show corrupted business card with ill-behaving
user interface or c) reject the business card and all the following
business cards, non-standard or not. Users will recover from the
error if they restart the phone by  removing the battery. There is no
damage caused to the phone memory, software or stored data. The error
affects the Nokia 6210 with SW version 05.27 or above.

The possibility of this error occuring is very remote, as it is
depending on the potential attacker's ability to create and send
malformatted Business Cards over the air to the Nokia 6210 mobile
phone.  In addition it is very simple to deal with the error, as the
user only needs to  restart the phone by removing the battery and
there is no damage caused to the phone memory, software or stored
data.  Due to these reasons, Nokia currently has no plans to issue a
software fix for this error caused by an intentional action of a
person. 


Recommendation:

        Operators should look to deploy SMS proxies ensuring that
all user supplied SMSes are correctly formed and that any malformed
SMSes are not recieved by the SMSC.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CVE candidate number applied for


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


Copyright 2003 @stake, Inc. All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPlvf1Ue9kNIfAm4yEQJJBQCfYBoBaANAvASSrX+qdGdDIGRqrJcAniZH
NhoPqG0D5SZNV7cuMbzH8671
=uCuv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPlysnCh9+71yA2DNAQHV7wQAh7dabOskrfRBM2BPRq3p7ITNH7B7hnyj
us/uVjIJ6xe8mpRpAGC2asw5kuuq79wdMtEgJhaLctxAu0MWIZtUQFkjbcqSfIvj
QgSJOJHE/7JGW6QXJdhDqqfBRMUOGKw6tSZuFA4aNIOKjkbMRK25dZvHFmBoGCmr
BvCZI76PTwg=
=JS1B
-----END PGP SIGNATURE-----