copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0958 -- [Cisco] -- Cisco Unified IP Phone Remote Eavesdropping

Date: 29 November 2007

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2007.0958 -- [Cisco]
                Cisco Unified IP Phone Remote Eavesdropping
                             29 November 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Cisco Unified IP Phone
Publisher:            Cisco
Operating System:     Network Appliance
                      Cisco
Impact:               Access Confidential Data
Access:               Remote/Unauthenticated

Original Bulletin:    
   http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

Revision 1.0

For Public Release 2007 November 28 1600 UTC (GMT)

- - ----------------------------------------------------------------------------

Cisco Response
==============

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007
security conference by Joffery Czarny of Telindus regarding a technique to
remotely eavesdrop using Cisco Unified IP Phones.

The original report is available at the following link:

http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf

We greatly appreciate the opportunity to work with researchers on security
vulnerabilities and welcome the opportunity to review and assist in product
reports.

This Cisco Security Response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

Additional Information
======================

Cisco confirms that an attacker with valid Extension Mobility authentication
credentials could cause a Cisco Unified IP Phone configured to use the
Extension Mobility feature to transmit or receive a Real-Time Transport
Protocol (RTP) audio stream. This ability can be exploited to perform a remote
eavesdropping attack. All Cisco IP Phones that support the Extension Mobility
feature are vulnerable.

For this attack to be possible, several conditions need to be satisfied:

  * The internal web server of the IP phone must be enabled. The web server is
    enabled by default.
  * The IP phone must be configured to use the Extension Mobility feature,
    which is not enabled by default.
  * The attacker must possess or obtain valid Extension Mobility authentication
    credentials.

Extension Mobility authentication credentials are not tied to individual IP
phones. Any Extension Mobility account configured on an IP phone's Cisco
Unified Communications Manager/CallManager (CUCM) server can be used to perform
an eavesdropping attack.

To obtain Extension Mobility authentication credentials, an attacker needs
physical access to the network to sniff credentials. This can be accomplished
by inserting a sniffing device between an IP phone and switch port.

Before eavesdropping can occur, the user who is logged into the IP phone via
Extension Mobility must first be logged off of the IP phone. This can be
accomplished by sending an Extension Mobility logout message to the IP phone's
Cisco Unified Communications Manager/CallManager (CUCM) server.

If exploitation is successful, any IP phone that is undergoing an eavesdropping
attack will have its speaker phone status light enabled, and the phone will
display an off-hook icon that indicates an active call is in progress. Internal
testing by Cisco also revealed that the described attack produced static noise
on the IP phone while it was under attack.

Workarounds
===========

There are workarounds to combat this attack:

  * Disable the internal web server on IP phones.
  * Disable the Extension Mobility feature on IP phones.
  * Disable the speaker phone / headset functionality on IP phones.

This attack can also be mitigated by restricting access to the internal web
server of IP phones (TCP port 80) using an access control list (ACL).

For more information about Cisco-recommended best practices for securely
deploying Cisco Unified IP Phones, reference this link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008085f858.html#wp1045452

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0  | 2007-November-28  | Initial public release  |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. 
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt.

- - ----------------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved.
- - ----------------------------------------------------------------------------

Updated: Nov 28, 2007                                       Document ID: 100252

- - ----------------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHTeF186n/Gc8U/uARAmRSAJ9+ko50nRKHmskbtuO3yupf51+MdQCeJj5V
IUtUu8gWsAToUz6JdxDKeg0=
=LqLa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR04Opih9+71yA2DNAQIqwAP9GTwBxIdqDz++2jy/xklfy242a5hHfkYa
SHcRdX7XGPBapUzYcHmZpJhR8FEM3IkWBifyH5/Vm+E/sw1djli2GzjIu60+yhdT
wxyswG3GII0hvWE2AY/nUTaWs4Cvup2dp0ZX4SO3HqaaAB4Sw1cgYR2ltMMxKpnb
0O9GrD7mxuc=
=jIyb
-----END PGP SIGNATURE-----