|
|
|
|
| |
3Com? SuperStack? 3 NBX? and 3Com NBX 100 networked telephony solutions offer wide-ranging price/performance alternatives to fit your business needs today and tomorrow. 3Com? SuperStack? 3 NBX? Networked Telephony Solution Delivers robust, full-featured business communications for up to 1500 devices (lines/stations) Ensures high system availability with the Wind River VxWorks real-time operating system (also used in pacemakers and artificial hearts), so server and PC downtime does not impact your telephone service.
VxWorks and pSOSystem are the most widely adopted real-time operating systems (RTOSs) in the embedded industry -- for good reason. They are flexible, scalable, reliable, and available on all popular CPU platforms. They are also, by most measures, the fastest RTOSs available today.
A remote security vulnerability in the product allows a remote attackers to cause a denial of service against the product. |
| |
Credit:
The information has been provided by Michael S. Scheidell of SECNAP Network Security.
|
| |
Vulnerable systems:
* 3com NBX IP Phone Call manager, firmware versions through 4.1.4
Exploit:
It was possible to make the remote FTP server crash by issuing this command:
CEL aaaa[...]aaaa where string is 2048 bytes long. This can be done with netcat, a windows client by telneting to the NBX server on port 21 or by running the aix_ftpd.nasl test in nessus (http://www.nessus.org)
The 3com NBX uses VXWORKS Embedded Real time Operating system and what appears to be their own internal ftp server.
By sending a specific string of data to the ftp server, an attacker can disable not only the FTP server, but the integrated web based administrative console and the call manager preventing diagnostics, control and all incoming, outgoing or internal calls. Any calls in progress cannot be disconnected, and in the case of long distance calls, could result in excessive long distance bills and extended loss of use of the phone system.
This condition is not recovered without a Hard reboot (power off/on). Since the 3com NBX is based on an embedded UNIX operating system, and abrupt power off could cause loss of data, including corruption of voice mails in progress or logs.
A company who uses the VoIP features for remote locations, and who has the call manager located on the outside of their firewall, or has no firewall can have their voice communications disrupted easily. Even if the company has call manager located on internal network, people with internal network access can also disrupt communications.
We have tested 3com NBX firmware version 4.0.17 (with FTPd version 5.4) and NBX firmware version 4.1.4 (FTPd version 5.4.2) and this bug seems to be present in both systems.
Vendor Response:
3com confirmed problem and received a field patch, TSR(296292) from VxWorks to address the problem. Neither WindRiver nor 3com has provided a test bed or access to a fixed system for us verify fix. 3com will be working to integrate this TSR into a future release of the NBX build but has no date yet for release. Also, since FTPd is only used for debugging and diagnostics, a future firmware will allow the administrator the ability to turn off FTPd if not used.
Please contact 3com for further information.
Solution:
There is no known fix. If you have information about a fix, please contact security@secnap.net
There appears to be on way to turn off the build in ftp server in this version of the software, no way to do IP address limits via TCP wrapper or ACLs, and if there is a build in firewall, there is no documented way to access it. The only way we know of to prevent a denial of service attack on the 3com NBX is to place it behind its own firewall. If call manager is placed on the Internet side of the firewall or in the DMZ, care should be taken to prohibit any access to ftp port (TCP port 21). This may be impossible on an internal network unless 3com NBX is itself placed behind a firewall, or on a separate VLAN or network segment.
Care should be taken in this approach, since some firewalls may interfere with the VoIP operations.
(see Firewall limits vex VoIP users http://www.nwfusion.com/news/2002/0625bleeding.html )
Additional Information:
A tcpdump/pcap packet of the exploit and FTPd/NBX response can be found at http://www.secnap.net/private/nbx.pcap
A copy of this report can be found at http://www.secnap.net/security/nbx001.html and at http://www.kb.cert.org/vuls/id/317417.
To test your systems for this vulnerability, you can use Nessus at www.nessus.org. Either update your signatures, or download this nessus signature: vxworks_ftpd.nasl - http://cgi.nessus.org/plugins/dump.php?id=11185
|
|
|
|
|
|
|
|
|
|
