Michael Scheidell
30/04/04, 21:35
Systems: 3com NBX IP VOIP NetSet(r) Configuration Manager
Severity: Serious=20
Category: Denial of Service=20
Classification: Insufficient user input checking
BugTraq-ID: TBD
CERT VU#: TBD
CVE ID: TBD
Vendor URL: www.3com.com
Author: Michael S. Scheidell, SECNAP Network Security Corporation
Original Release date: April 20, 2004
Notifications: 3com Notified via email April 20, 2004, no response
Last contact with 3com: NA
Discussion: From 3com's web site:
3Com=AE SuperStack=AE 3 NBX=AE and 3Com NBX 100 networked telephony =
solutions offer wide-ranging price/performance alternatives to fit your =
business needs today and tomorrow. 3Com=AE SuperStack=AE 3 NBX=AE =
Networked Telephony Solution Delivers robust, full-featured business =
communications for up to 1500 devices (lines/stations) Ensures high =
system availability with the Wind River VxWorks real-time operating =
system (also used in pacemakers and artificial hearts), so server and PC =
downtime does not impact your telephone service.=20
Exploit: It was possible to make the remote Virata-EmWeb/R6_0_3 server =
(the NBX Netset application) crash by running a standard nessus scan in =
safeChecks mode. Note: Saftchecks mode only does web queries, XSS, =
etc..
The 3com NBX uses VXWORKS Embedded Real time Operating system and what =
appears to be Virata-EmWeb/R6_0_3 web server. this web server is used =
by the NetSet configuration program to update/reboot/backup/configure =
and check status on the 3com NBX VPIO call manager. It is also used by =
each phone user to change speed dial numbers, configure call forwarding =
and other features of their individual phone sets. By running the =
nessus vulnerabilities scanner, in safeChecks mode, a hacker or user can =
disable the Netset status, Call detail functions, maintenance functions, =
including the ability to 'soft boot' system. Note: you may still be =
able to connect a 9600 baud terminal to the 3com NBX Call Manager and =
soft boot system, but this requires physical access and would need to be =
done each and every time someone ran nessus. Also note, that with the =
proliferation of web based attacks on the net lately, and the fact that =
the nessus tests are just a 'safe' version of these exploits, this =
creates a serious problem for the NBX.
Also note, that the NBX is NOT SIP, but rather uses 3com proprietary =
multi-cast protocol, an enterprise that deploys the 3com VOIP NBX system =
and expects to use the functions on a remote phone must either use a =
Multicast VPN router (rare and expensive), or place the NBX on the =
outside of the firewall. Also, there is no ability to keep hackers and =
crackers from connecting to the 'open/bare' nbx call manager web port =
via ip access control lists on the nbx. A quick google search will find =
several 3com nbx systems with the Call manager exposed.
http://ipphone.cybertown.co.at/
http://telephone.michiganaerospace.com/
http://nbxss3.shoreschool.org/
This condition is not recovered without a Hard reboot (power off/on). =
Since the 3com nbx is based on an embedded Unix operating system =
(vxworks), an abrupt power off could cause loss of data, including =
corruption of voice mails in progress or logs.=20
A company who uses the VoIP features for remote locations, and who has =
the call manager located on the outside of their firewall, or has no =
firewall can have their VOIP management functions disrupted easily. Even =
if the company has call manager located on internal network, people with =
internal network access can also disrupt communications.=20
We have tested 3com nbx firmware version 4_2_7 (with embedded web server =
Virata-EmWeb/R6_0_3).
3com should have had in place the ability to test their new software =
versions in QA, especially since they know, or should know that these =
systems can be exposed to attack from the internet. 3com has known =
since at least October 2002 when we informed them of the security =
problems with the built in ftp server. We have asked 3com several times =
since then for updated copies of the firmware to address the problem, =
and for us to test but have not had a response from 3com since December, =
2002.
See http://www.secnap.com/security/nbx001.html for details of previous =
DOS problems with 3com nbx system)
Update/Workaround: no workaround found. No way to change the default =
port to 'hide' this vulnerable server. Place server on VLAN and =
restrict access. Do not use NBX VOIP for remote offices or phones =
unless you have a MultiCast capable VPN or private VPN.
3com Response: None
Solution:=20
Please contact vendor for new firmware when they fix it.
For a report on Security Risk Factors with IP Telephony based Networks=20
see:=20
Security_Risk_Factors_with_IP_Telephony_based_Netw orks Also reference =
article "is VoIP vulnerable ?"on NWfusion.com =
http://www.nwfusion.com/news/2002/0624voip.html=20
see "Firewall limits vex VoIP users" at Nwfusion=20
http://www.nwfusion.com/news/2002/0625bleeding.html=20
For earlier problems with 3com NBX, ftp denial of service attack, see =
http://www.secnap.com/security/nbx001.html
Credit:=20
This problem was originally found during a routine security audit by =
Michael Scheidell, SECNAP Network Security, www.secnap.com using the =
Nessus vulnerabilities scanner, www.nessus.org.,=20
Additional Information:=20
To test your systems for this vulnerability, you can use Nessus at =
www.nessus.org.=20
Select default scan runs.
Original copy of this report can be found here=20
<http://www.secnap.net/security/20040420.html>=20
Copyright:=20
Above Copyright(c) 2004, SECNAP Network Security Corporation. World =
rights reserved.=20
This security report can be copied and redistributed electronically =
provided it is not edited and is quoted in its entirety without written =
consent of SECNAP Network Security Corporation. Additional information =
or permission may be obtained by contacting SECNAP Network Security at =
561-368-9561 or www.secnap.com
Severity: Serious=20
Category: Denial of Service=20
Classification: Insufficient user input checking
BugTraq-ID: TBD
CERT VU#: TBD
CVE ID: TBD
Vendor URL: www.3com.com
Author: Michael S. Scheidell, SECNAP Network Security Corporation
Original Release date: April 20, 2004
Notifications: 3com Notified via email April 20, 2004, no response
Last contact with 3com: NA
Discussion: From 3com's web site:
3Com=AE SuperStack=AE 3 NBX=AE and 3Com NBX 100 networked telephony =
solutions offer wide-ranging price/performance alternatives to fit your =
business needs today and tomorrow. 3Com=AE SuperStack=AE 3 NBX=AE =
Networked Telephony Solution Delivers robust, full-featured business =
communications for up to 1500 devices (lines/stations) Ensures high =
system availability with the Wind River VxWorks real-time operating =
system (also used in pacemakers and artificial hearts), so server and PC =
downtime does not impact your telephone service.=20
Exploit: It was possible to make the remote Virata-EmWeb/R6_0_3 server =
(the NBX Netset application) crash by running a standard nessus scan in =
safeChecks mode. Note: Saftchecks mode only does web queries, XSS, =
etc..
The 3com NBX uses VXWORKS Embedded Real time Operating system and what =
appears to be Virata-EmWeb/R6_0_3 web server. this web server is used =
by the NetSet configuration program to update/reboot/backup/configure =
and check status on the 3com NBX VPIO call manager. It is also used by =
each phone user to change speed dial numbers, configure call forwarding =
and other features of their individual phone sets. By running the =
nessus vulnerabilities scanner, in safeChecks mode, a hacker or user can =
disable the Netset status, Call detail functions, maintenance functions, =
including the ability to 'soft boot' system. Note: you may still be =
able to connect a 9600 baud terminal to the 3com NBX Call Manager and =
soft boot system, but this requires physical access and would need to be =
done each and every time someone ran nessus. Also note, that with the =
proliferation of web based attacks on the net lately, and the fact that =
the nessus tests are just a 'safe' version of these exploits, this =
creates a serious problem for the NBX.
Also note, that the NBX is NOT SIP, but rather uses 3com proprietary =
multi-cast protocol, an enterprise that deploys the 3com VOIP NBX system =
and expects to use the functions on a remote phone must either use a =
Multicast VPN router (rare and expensive), or place the NBX on the =
outside of the firewall. Also, there is no ability to keep hackers and =
crackers from connecting to the 'open/bare' nbx call manager web port =
via ip access control lists on the nbx. A quick google search will find =
several 3com nbx systems with the Call manager exposed.
http://ipphone.cybertown.co.at/
http://telephone.michiganaerospace.com/
http://nbxss3.shoreschool.org/
This condition is not recovered without a Hard reboot (power off/on). =
Since the 3com nbx is based on an embedded Unix operating system =
(vxworks), an abrupt power off could cause loss of data, including =
corruption of voice mails in progress or logs.=20
A company who uses the VoIP features for remote locations, and who has =
the call manager located on the outside of their firewall, or has no =
firewall can have their VOIP management functions disrupted easily. Even =
if the company has call manager located on internal network, people with =
internal network access can also disrupt communications.=20
We have tested 3com nbx firmware version 4_2_7 (with embedded web server =
Virata-EmWeb/R6_0_3).
3com should have had in place the ability to test their new software =
versions in QA, especially since they know, or should know that these =
systems can be exposed to attack from the internet. 3com has known =
since at least October 2002 when we informed them of the security =
problems with the built in ftp server. We have asked 3com several times =
since then for updated copies of the firmware to address the problem, =
and for us to test but have not had a response from 3com since December, =
2002.
See http://www.secnap.com/security/nbx001.html for details of previous =
DOS problems with 3com nbx system)
Update/Workaround: no workaround found. No way to change the default =
port to 'hide' this vulnerable server. Place server on VLAN and =
restrict access. Do not use NBX VOIP for remote offices or phones =
unless you have a MultiCast capable VPN or private VPN.
3com Response: None
Solution:=20
Please contact vendor for new firmware when they fix it.
For a report on Security Risk Factors with IP Telephony based Networks=20
see:=20
Security_Risk_Factors_with_IP_Telephony_based_Netw orks Also reference =
article "is VoIP vulnerable ?"on NWfusion.com =
http://www.nwfusion.com/news/2002/0624voip.html=20
see "Firewall limits vex VoIP users" at Nwfusion=20
http://www.nwfusion.com/news/2002/0625bleeding.html=20
For earlier problems with 3com NBX, ftp denial of service attack, see =
http://www.secnap.com/security/nbx001.html
Credit:=20
This problem was originally found during a routine security audit by =
Michael Scheidell, SECNAP Network Security, www.secnap.com using the =
Nessus vulnerabilities scanner, www.nessus.org.,=20
Additional Information:=20
To test your systems for this vulnerability, you can use Nessus at =
www.nessus.org.=20
Select default scan runs.
Original copy of this report can be found here=20
<http://www.secnap.net/security/20040420.html>=20
Copyright:=20
Above Copyright(c) 2004, SECNAP Network Security Corporation. World =
rights reserved.=20
This security report can be copied and redistributed electronically =
provided it is not edited and is quoted in its entirety without written =
consent of SECNAP Network Security Corporation. Additional information =
or permission may be obtained by contacting SECNAP Network Security at =
561-368-9561 or www.secnap.com