OmniPCX Enterprise VoIP Phone Audio Stream Rerouting Vulnerability
19 Nov. 2007
Summary
A vulnerability in Alcatel's OmniPCX allows remote attackers to cause the product to no longer be able to receive audio by sending it a malformed TFTP request.
If a malicious user sends a TFTP request to the signaling server with the MAC address of the victim's VoIP phone as part of the file name, he is able to reroute only the audio stream coming from the other end of the call to his computers IP address. Even though an Alcatel VoIP phone can make or take calls, and send audio, it is prevented from hearing anything said at the other end of the communication. The VoIP phone needs to be rebooted manually in order to work again.
This vulnerability may be further exploited by rerouting the audio stream to the victim's VoIP phone again. This would only allow the malicious user to eavesdrop on half of the victim's audio communication: what the victim says is not intercepted, only on the answers made by the other party would be overheard. Note, this scenario has not been verified.
Disclosure Timeline:
June 2007 - Vulnerability found
June 2007 - Alcatel Security notified
November 2007 - Alcatel Advisory available
November 2007 - Alcatel Security Information
Vendor Response:
"Upon boot, an IP Touch phone downloads configuration information about the deployment using the TFTP protocol.
The attack against a given IP Touch phone set is performed by sending a specially crafted TFTP request containing this phone s MAC address (Ethernet address) faking this initial download request. The Communication Server thereafter considers the attacking PC s IP address as the phone set s IP address for the incoming half of the voice connection.
Because the signaling link is not broken, the phone stays up and can dial and receive calls, without any ring tone and audio feedback. Communications are halfway with only the outgoing audio but no audio is received from the far end".
Solutions: Workaround
In installations with IP address spaces for phone sets separate from that of the data workstations, bogus TFTP requests may be filtered using a firewall in front of the Communication Server. The firewall is configured to allow TFTP requests only from the range of IP addresses allocated to IP Touch phones and block any TFTP request coming from other IP addresses, thereby blocking any bogus request emitted from any workstation.
Fixed Software Versions and how to obtain them
Please contact your Business Partner to determine the appropriate course of action. For information the correction has been delivered in the following patches:
* OmniPCX Enterprise R7.1: install patch F5.401.21.e
* OmniPCX Enterprise R7.0: upgrade to release R7.1
* OmniPCX Enterprise R6.2: install patch F3.301.38.a
* OmniPCX Enterprise R6.1: install patch F2.502.33
* OmniPCX Enterprise R6.0 and earlier: those releases are phased out: upgrade to release R7.1.
