Indigo CERT Vulnerability Assessment Report

Test results of CERT / OUSPG PROTOS test-suite following the release of CERT Advisory CA-2003-06

Introduction

In [1], the CERT coordination center, a major reporting center for Internet security problems, issued an advisory stipulating that numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol [4]. Related to this advisory, the CERT/CC also issued a Vulnerability Note VU#528719 [2].

This CERT Vulnerability Note is based on the investigation work conducted by the Finnish Oulu University Secure Programming Group using the PROTOS Test-Suite c07-sip [3], which was developed for that purpose.

In the interest of its customers and of the whole Internet community in general represented by the CERT/CC, Indigo Software has taken this Vulnerability Note very seriously and has decided to run a test campaign using the PROTOS Test-Suite on its SIP-based product lines in order to assess a possible vulnerability.

The Indigo SIP-based product portfolio consists of the following products:

  • Indigo SIP Foundation Class
  • Indigo SIP Server & SDK, which includes notably Proxy/Redirect/Registrar server roles
  • Indigo Presence Server & SDK
  • Indigo Communications Server & SDK, which bundles the Indigo SIP Server & SDK and the Indigo Presence Server & SDK
  • The PROTOS Test-Suite [3] applies to User Agent and Proxy Server roles. As Indigo does not include a User Agent offering in its product portfolio, the PROTOS Test-Suite applies to the Proxy role implemented in the Indigo SIP Server & SDK and Indigo Communications Server & SDK product packages.

    It is worth noting that since all Indigo SIP servers (Proxy/Redirect/Registrar/Presence/3PCC) being part of the Indigo product portfolio are developed on top of the Indigo SIP Foundation Class (Indigoís own SIP stack foundation), possible vulnerabilities in the Indigo SIP Foundation Class is implicitly tested and assessed by the PROTOS Test-Suite during those tests.


    Criteria to pass a PROTOS test-case

    In [1], section Results, OUSPG describes the criteria to be considered to pass or fail a PROTOS test-case. It are copied below:

    In this test-suite, the failed status is granted if any of the following criteria are met and a single test-case or linear sequence of cases can be identified to be responsible for it:

  • A device undergoes a fatal failure and stops functioning normally.
  • A process or a device crashes or hangs and needs to be restarted manually.
  • A process or a device crashes and restarts automatically.
  • A process consumes almost all CPU and/or memory resources for an exceptionally long or indefinite time.
  • If no single test-case can be identified but similar effects are observed, the status is inconclusive.
    Sometimes, a subject gets corrupted so badly or is fundamentally so unstable that there is no way to collect accurate test-results for the whole test-run. Untested regions are marked as unknown.
    Otherwise, the status is passed.



    Detailed results of the vulnerability assessment tests
    Test configuration

    A User Agent (Microsoft MSN Messenger) is registered with the Indigo Proxy Server (IP 192.168.254.23) and is used as destination endpoint for PROTOS. The PROTOS test tool runs on a separate machine.

    The System Under Test (SUT) is :
  • SW: Indigo Proxy Server 4.5 (Indigo SIP Server & SDK 4.5, Indigo Communications Server & SDK 4.5)
  • OS: Windows 2000
  • HW: PIII 733 MHz; 512 MB SDRAM
  • Test-Group by Test-Group Test Run - Results table

    PROTOS command used (i.e. Test-cases range: 573-629):

    D:\CERT_warning_protos_c07_test>java        -jar        c07-sip-r1.jar        -touri        ndramais@192.168.254.23        -fromuri cert@ganymede.indigosw.net    -teardown    -start   573 -stop   629   -validcase   -lport 5002



    Name

    Exceptional Elements

    First Index #

    Test Cases

    IndigoProxy Test Result

    valid

    n/a

    0

    1

    PASSED

    SIP-Method

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    1

    193

    PASSED

    SIP-Request-URI

    sip-URI

    194

    61

    PASSED

    SIP-Version

    sip-version

    255

    75

    PASSED

    SIP-Via-Host

    ipv4-ascii

    330

    106

    PASSED

    SIP-Via-Hostcolon

    overflow-colon

    436

    16

    PASSED

    SIP-Via-Hostport

    integer-ascii

    452

    46

    PASSED

    SIP-Via-Version

    sip-version

    498

    75

    PASSED

    SIP-Via-Tag

    sip-tag

    573

    57

    PASSED

    SIP-From-Displayname

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    630

    193

    PASSED

    SIP-From-Tag

    sip-tag

    823

    57

    PASSED

    SIP-From-Colon

    overflow-colon

    880

    16

    PASSED

    SIP-From-URI

    sip-URI

    896

    61

    PASSED

    SIP-Contact-Displayname

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    957

    193

    PASSED

     

    SIP-Contact-URI

    sip-URI

    1150

    61

    PASSED

    SIP-Contact-Left-Paranthesis

    overflow-leftbracket

    1211

    16

    PASSED

    SIP-Contact-Right-Paranthesis

    overflow-rightbracket

    1227

    16

    PASSED

    SIP-To

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    1243

    193

    PASSED

    SIP-To-Left-Paranthesis

    overflow-leftbracket

    1436

    16

    PASSED

    SIP-To-Right-Paranthesis

    overflow-rightbracket

    1452

    16

    PASSED

    SIP-Call-Id-Value

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    1468

    193

    PASSED

    SIP-Call-Id-At

    overflow-at

    1661

    16

    PASSED

    SIP-Call-Id-Ip

    ipv4-ascii

    1677

    106

    PASSED

    SIP-Expires

    integer-ascii

    1783

    46

    PASSED

    SIP-Max-Forwards

    integer-ascii

    1829

    46

    PASSED

    SIP-Cseq-Integer

    integer-ascii

    1875

    46

    PASSED

    SIP-Cseq-String

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    1921

    193

    PASSED

    SIP-Content-Type

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape, content-type

    2114

    247

    PASSED

    SIP-Content-Length

    integer-ascii

    2361

    46

    PASSED

    SIP-Request-CRLF

    crlf

    2407

    10

    PASSED

    CRLF-Request

    crlf

    2417

    10

    PASSED

    SDP-Attribute-CRLF

    crlf

    2427

    10

    PASSED

    SDP-Proto-v-Identifier

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    2437

    193

    PASSED

    SDP-Proto-v-Equal

    overflow-equal

    2630

    16

    PASSED

    SDP-Proto-v-Integer

    integer-ascii

    2646

    46

    PASSED

    SDP-Origin-Username

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    2692

    193

    PASSED

    SDP-Origin-Sessionid

    integer-ascii

    2885

    46

    PASSED

    SDP-Origin-Networktype

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    2931

    193

    PASSED

    SDP-Origin-Ip

    overflow-equal

    3124

    106

    PASSED

    SDP-Session

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    3230

    193

    PASSED

    SDP-Connection-Networktype

    overflow-general, overflow-space, overflow-null, utf-8, fmtstring

    3423

    188

    PASSED

    SDP-Connection-Ip

    ipv4-ascii

    3611

    106

    PASSED

    SDP-Time-Start

    integer-ascii

    3717

    46

    PASSED

    SDP-Time-Stop

    empty

    3763

    1

    PASSED

    SDP-Media-Media

    overflow-general, overflow-space, overflow-null, fmtstring, utf-8, ansi-escape

    3764

    193

    PASSED

    SDP-Media-Port

    integer-ascii

    3957

    46

    PASSED

    SDP-Media-Transport

    overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape

    4003

    118

    PASSED

    SDP-Media-Type

    integer-ascii

    4121

    46

    PASSED

    SDP-Attribute-Rtpmap

    overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape

    4167

    118

    PASSED

    SDP-Attribute-Colon

    overflow-colon

    4285

    16

    PASSED

    SDP-Attribute-Payloadtype

    integer-ascii

    4301

    46

    PASSED

    SDP-Attribute-Encodingname

    integer-ascii

    4347

    118

    PASSED

    SDP-Attribute-Slash

    overflow-slash

    4465

    16

    PASSED

    SDP-Attribute-Clockrate

    integer-ascii

    4481

    46

    PASSED



    All test-cases in one go

    A. Validcase option not activated

    PROTOS command used:

    D:\CERT_warning_protos_c07_test>java        -jar        c07-sip-r1.jar        -touri        ndramais@192.168.254.23        -fromuri cert@ganymede.indigosw.net    -teardown    -lport   5002


    Name

    Exceptional Elements

    First Index #

    Test Cases

    IndigoProxy Test Result

    All test-cases in one go

    Ėvalidcase option deactivated

    1

    4527

    PASSED



    B. Validcase option activated

    D:\CERT_warning_protos_c07_test>java¬†¬†¬†¬†¬†¬†¬† -jar¬†¬†¬†¬†¬†¬†¬† c07-sip-r1.jar¬†¬†¬†¬†¬†¬†¬† -touri¬†¬†¬†¬†¬†¬†¬† ndramais@192.168.254.23¬†¬†¬†¬†¬†¬†¬† -fromuri cert@ganymede.indigosw.net¬†¬†¬† -teardown¬†¬†¬† Ėvalidcase¬†¬†¬† -lport¬†¬† 5002


    Name

    Exceptional Elements

    First Index #

    Test Cases

    IndigoProxy Test Result

    All test-cases in one go

    Ėvalidcase option activated

    1

    4527

    PASSED



    Conclusion of the assessment Ė Indigo Corporate Statement

    The Indigo Proxy Server role built in the Indigo SIP Server & SDK and Indigo Communications Server & SDK has successfully passed all PROTOS Test-Suite c07 (http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/) test-cases, run either test-group per test-group or all test-cases in one go.

    Moreover, after each and every test-case, the Indigo Proxy Server was still fully operational and able to treat new valid requests.

    Consequently, given the fact that, like for all Indigo servers, the Indigo Proxy Server is built on top of the Indigo SIP Foundation Class, the Indigo SIP Foundation Class has also implicitly passed all test-cases.

    These test observations allow Indigo Software to declare that its Indigo SIP Foundation Class, Indigo SIP Server & SDK and its Indigo Communications Server & SDK are NOT VULNERABLE to DoS and other attacks simulated by the PROTOS Vulnerability Assessment Test Suite.


    References

    [1] CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP), http://www.cert.org/advisories/CA-2003-06.html

    [2] Vulnerability Note VU#528719, http://www.kb.cert.org/vuls/id/528719

    [3] OUSPG PROTOS Test-Suite: c07-sip, http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/

    [4] RFC 3261 ďSIP: Session Initiation ProtocolĒ, http://www.ietf.org/rfc/rfc3261.txt?number=3261 , IETF, June 2002