[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    3com NBX VOIP NetSet Denial of Service Attack
From:       "Michael Scheidell" <scheidell () secnap ! net>
Date:       2004-04-29 20:34:35
Message-ID: B3BCAF4246A8A84983A80DAB50FE724214A93A () secnap2 ! secnap ! com
[Download RAW message or body]

Systems: 3com NBX IP VOIP NetSet(r) Configuration Manager
Severity: Serious 
Category: Denial of Service 
Classification: Insufficient user input checking
BugTraq-ID: TBD
CERT VU#: TBD
CVE ID: TBD
Vendor URL: www.3com.com
Author: Michael S. Scheidell, SECNAP Network Security Corporation
Original Release date: April 20, 2004
Notifications: 3com Notified via email April 20, 2004, no response
Last contact with 3com: NA

Discussion: From 3com's web site:

3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions offer \
wide-ranging price/performance alternatives to fit your business needs today and \
tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony Solution Delivers robust, \
full-featured business communications for up to 1500 devices (lines/stations) Ensures \
high system availability with the Wind River VxWorks real-time operating system (also \
used in pacemakers and artificial hearts), so server and PC downtime does not impact \
your telephone service. 

Exploit: It was possible to make the remote Virata-EmWeb/R6_0_3 server (the NBX \
Netset application) crash by running a standard nessus scan in safeChecks mode.  \
Note: Saftchecks mode only does web queries, XSS, etc..

The 3com NBX uses VXWORKS Embedded Real time Operating system and what appears to be \
Virata-EmWeb/R6_0_3 web server.  this web server is used by the NetSet configuration \
program to update/reboot/backup/configure and check status on the 3com NBX VPIO call \
manager.  It is also used by each phone user to change speed dial numbers, configure \
call forwarding and other features of their individual phone sets.  By running the \
nessus vulnerabilities scanner, in safeChecks mode, a hacker or user can disable the \
Netset status, Call detail functions, maintenance functions, including the ability to \
'soft boot' system.  Note: you may still be able to connect a 9600 baud terminal to \
the 3com NBX Call Manager and soft boot system, but this requires physical access and \
would need to be done each and every time someone ran nessus.  Also note, that with \
the proliferation of web based attacks on the net lately, and the fact that the \
nessus tests are just a 'safe' version of these exploits, this creates a serious \
problem for the NBX.

Also note, that the NBX is NOT SIP, but rather uses 3com proprietary multi-cast \
protocol, an enterprise that deploys the 3com VOIP NBX system and expects to use the \
functions on a remote phone must either use a Multicast VPN router (rare and \
expensive), or place the NBX on the outside of the firewall.  Also, there is no \
ability to keep hackers and crackers from connecting to the 'open/bare' nbx call \
manager web port via ip access control lists on the nbx.  A quick google search will \
find several 3com nbx systems with the Call manager exposed.

http://ipphone.cybertown.co.at/
http://telephone.michiganaerospace.com/
http://nbxss3.shoreschool.org/

This condition is not recovered without a Hard reboot (power off/on). Since the 3com \
nbx is based on an embedded Unix operating system (vxworks), an abrupt power off \
could cause loss of data, including corruption of voice mails in progress or logs. 

A company who uses the VoIP features for remote locations, and who has the call \
manager located on the outside of their firewall, or has no firewall can have their \
VOIP management functions disrupted easily. Even if the company has call manager \
located on internal network, people with internal network access can also disrupt \
communications. 

We have tested 3com nbx firmware version 4_2_7 (with embedded web server \
Virata-EmWeb/R6_0_3).

3com should have had in place the ability to test their new software versions in QA, \
especially since they know, or should know that these systems can be exposed to \
attack from the internet.  3com has known since at least October 2002 when we \
informed them of the security problems with the built in ftp server.  We have asked \
3com several times since then for updated copies of the firmware to address the \
problem, and for us to test but have not had a response from 3com since December, \
2002.

See http://www.secnap.com/security/nbx001.html for details of previous DOS problems \
with 3com nbx system)

Update/Workaround:  no workaround found.  No way to change the default port to 'hide' \
this vulnerable server.  Place server on VLAN and restrict access.  Do not use NBX \
VOIP for remote offices or phones unless you have a MultiCast capable VPN or private \
VPN.

3com Response: None

Solution: 
Please contact vendor for new firmware when they fix it.

For a report on Security Risk Factors with IP Telephony based Networks 
see: 
Security_Risk_Factors_with_IP_Telephony_based_Networks Also reference article "is \
VoIP vulnerable ?"on NWfusion.com http://www.nwfusion.com/news/2002/0624voip.html 

see "Firewall limits vex VoIP users" at Nwfusion 
http://www.nwfusion.com/news/2002/0625bleeding.html 

For earlier problems with 3com NBX, ftp denial of service attack, see \
                http://www.secnap.com/security/nbx001.html
Credit: 
This problem was originally found during a routine security audit by Michael \
Scheidell, SECNAP Network Security, www.secnap.com using the Nessus vulnerabilities \
scanner, www.nessus.org., 

Additional Information: 

To test your systems for this vulnerability, you can use Nessus at www.nessus.org. 
Select default scan runs.

Original copy of this report can be found here 
<http://www.secnap.net/security/20040420.html> 

Copyright: 
Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights reserved. 

This security report can be copied and redistributed electronically provided it is \
not edited and is quoted in its entirety without written consent of SECNAP Network \
Security Corporation. Additional information or permission may be obtained by \
contacting SECNAP Network Security at 561-368-9561 or www.secnap.com


[prev in list] [next in list] [prev in thread] [next in thread]