| Indigo CERT Vulnerability Assessment Report
Test results of CERT / OUSPG PROTOS test-suite following the release of CERT Advisory CA-2003-06
Introduction
In [1], the CERT coordination center, a major reporting center for Internet security problems, issued an advisory stipulating that numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol [4]. Related to this advisory, the CERT/CC also issued a Vulnerability Note VU#528719 [2].
This CERT Vulnerability Note is based on the investigation work conducted by the Finnish Oulu University Secure Programming Group using the PROTOS Test-Suite c07-sip [3], which was developed for that purpose.
In the interest of its customers and of the whole Internet community in general represented by the CERT/CC, Indigo Software has taken this Vulnerability Note very seriously and has decided to run a test campaign using the PROTOS Test-Suite on its SIP-based product lines in order to assess a possible vulnerability.
The Indigo SIP-based product portfolio consists of the following products:
The PROTOS Test-Suite [3] applies to User Agent and Proxy Server roles. As Indigo does not include a User Agent offering in its product portfolio, the PROTOS Test-Suite applies to the Proxy role implemented in the Indigo SIP Server & SDK and Indigo Communications Server & SDK product packages.
It is worth noting that since all Indigo SIP servers (Proxy/Redirect/Registrar/Presence/3PCC) being part of the Indigo product portfolio are developed on top of the Indigo SIP Foundation Class (Indigo�s own SIP stack foundation), possible vulnerabilities in the Indigo SIP Foundation Class is implicitly tested and assessed by the PROTOS Test-Suite during those tests.
Criteria to pass a PROTOS test-case
In [1], section Results, OUSPG describes the criteria to be considered to pass or fail a PROTOS test-case. It are copied below:
In this test-suite, the failed status is granted if any of the following criteria are met and a single test-case or linear sequence of cases can be identified to be responsible for it:
If no single test-case can be identified but similar effects are observed, the status is inconclusive.
Sometimes, a subject gets corrupted so badly or is fundamentally so unstable that there is no way to collect accurate test-results for the whole test-run. Untested regions are marked as unknown.
Otherwise, the status is passed.
Detailed results of the vulnerability assessment tests
Test configuration
A User Agent (Microsoft MSN Messenger) is registered with the Indigo Proxy Server (IP 192.168.254.23) and is used as destination endpoint for PROTOS. The PROTOS test tool runs on a separate machine.
The System Under Test (SUT) is :
Test-Group by Test-Group Test Run - Results table
PROTOS command used (i.e. Test-cases range: 573-629):
D:\CERT_warning_protos_c07_test>java -jar c07-sip-r1.jar -touri [email protected] -fromuri [email protected] -teardown -start 573 -stop 629 -validcase -lport 5002
Name |
Exceptional Elements
|
First Index # |
Test Cases |
Indigo� Proxy Test Result |
valid |
n/a |
0 |
1 |
PASSED |
SIP-Method |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1 |
193 |
PASSED |
SIP-Request-URI |
sip-URI |
194 |
61 |
PASSED |
SIP-Version |
sip-version |
255 |
75 |
PASSED |
SIP-Via-Host |
ipv4-ascii |
330 |
106 |
PASSED |
SIP-Via-Hostcolon |
overflow-colon |
436 |
16 |
PASSED |
SIP-Via-Hostport |
integer-ascii |
452 |
46 |
PASSED |
SIP-Via-Version |
sip-version |
498 |
75 |
PASSED |
SIP-Via-Tag |
sip-tag |
573 |
57 |
PASSED |
SIP-From-Displayname |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
630 |
193 |
PASSED |
SIP-From-Tag |
sip-tag |
823 |
57 |
PASSED |
SIP-From-Colon |
overflow-colon |
880 |
16 |
PASSED |
SIP-From-URI |
sip-URI |
896 |
61 |
PASSED |
SIP-Contact-Displayname |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
957 |
193 |
PASSED
|
SIP-Contact-URI |
sip-URI |
1150 |
61 |
PASSED |
SIP-Contact-Left-Paranthesis |
overflow-leftbracket |
1211 |
16 |
PASSED |
SIP-Contact-Right-Paranthesis |
overflow-rightbracket |
1227 |
16 |
PASSED |
SIP-To |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1243 |
193 |
PASSED |
SIP-To-Left-Paranthesis |
overflow-leftbracket |
1436 |
16 |
PASSED |
SIP-To-Right-Paranthesis |
overflow-rightbracket |
1452 |
16 |
PASSED |
SIP-Call-Id-Value |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1468 |
193 |
PASSED |
SIP-Call-Id-At |
overflow-at |
1661 |
16 |
PASSED |
SIP-Call-Id-Ip |
ipv4-ascii |
1677 |
106 |
PASSED |
SIP-Expires |
integer-ascii |
1783 |
46 |
PASSED |
SIP-Max-Forwards |
integer-ascii |
1829 |
46 |
PASSED |
SIP-Cseq-Integer |
integer-ascii |
1875 |
46 |
PASSED |
SIP-Cseq-String |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1921 |
193 |
PASSED |
SIP-Content-Type |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape, content-type |
2114 |
247 |
PASSED |
SIP-Content-Length |
integer-ascii |
2361 |
46 |
PASSED |
SIP-Request-CRLF |
crlf |
2407 |
10 |
PASSED |
CRLF-Request |
crlf |
2417 |
10 |
PASSED |
SDP-Attribute-CRLF |
crlf |
2427 |
10 |
PASSED |
SDP-Proto-v-Identifier |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2437 |
193 |
PASSED |
SDP-Proto-v-Equal |
overflow-equal |
2630 |
16 |
PASSED |
SDP-Proto-v-Integer |
integer-ascii |
2646 |
46 |
PASSED |
SDP-Origin-Username |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2692 |
193 |
PASSED |
SDP-Origin-Sessionid |
integer-ascii |
2885 |
46 |
PASSED |
SDP-Origin-Networktype |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2931 |
193 |
PASSED |
SDP-Origin-Ip |
overflow-equal |
3124 |
106 |
PASSED |
SDP-Session |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
3230 |
193 |
PASSED |
SDP-Connection-Networktype |
overflow-general, overflow-space, overflow-null, utf-8, fmtstring
|
3423 |
188 |
PASSED |
SDP-Connection-Ip |
ipv4-ascii |
3611 |
106 |
PASSED |
SDP-Time-Start |
integer-ascii |
3717 |
46 |
PASSED |
SDP-Time-Stop |
empty |
3763 |
1 |
PASSED |
SDP-Media-Media |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
3764 |
193 |
PASSED |
SDP-Media-Port |
integer-ascii |
3957 |
46 |
PASSED |
SDP-Media-Transport |
overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape
|
4003 |
118 |
PASSED |
SDP-Media-Type |
integer-ascii |
4121 |
46 |
PASSED |
SDP-Attribute-Rtpmap |
overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape
|
4167 |
118 |
PASSED |
SDP-Attribute-Colon |
overflow-colon |
4285 |
16 |
PASSED |
SDP-Attribute-Payloadtype |
integer-ascii |
4301 |
46 |
PASSED |
SDP-Attribute-Encodingname |
integer-ascii |
4347 |
118 |
PASSED |
SDP-Attribute-Slash |
overflow-slash |
4465 |
16 |
PASSED |
SDP-Attribute-Clockrate |
integer-ascii |
4481 |
46 |
PASSED |
All test-cases in one go
A. Validcase option not activated
PROTOS command used:
D:\CERT_warning_protos_c07_test>java -jar c07-sip-r1.jar -touri [email protected] -fromuri [email protected] -teardown -lport 5002
Name
|
Exceptional
Elements
|
First Index #
|
Test Cases
|
Indigo� Proxy Test Result
|
All test-cases in one go
|
�validcase option deactivated
|
1
|
4527
|
PASSED
|
|
|
|
|
|
|
|
|
B. Validcase option activated
D:\CERT_warning_protos_c07_test>java -jar c07-sip-r1.jar -touri [email protected] -fromuri [email protected] -teardown �validcase -lport 5002
Name
|
Exceptional
Elements
|
First Index #
|
Test Cases
|
Indigo� Proxy Test Result
|
All test-cases in one go
|
�validcase option activated
|
1
|
4527
|
PASSED
|
|
|
|
|
|
|
|
|
Conclusion of the assessment � Indigo Corporate Statement
The Indigo Proxy Server role built in the
Indigo SIP Server & SDK and Indigo Communications Server & SDK has
successfully passed all PROTOS Test-Suite c07 (http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/)
test-cases, run either test-group per test-group or all test-cases in one go.
Moreover, after each and every test-case,
the Indigo Proxy Server was still fully operational and able to treat new valid
requests.
Consequently, given the fact that, like
for all Indigo servers, the Indigo Proxy Server is built on top of the Indigo
SIP Foundation Class, the Indigo SIP Foundation Class has also implicitly
passed all test-cases.
These test observations allow Indigo
Software to declare that its Indigo SIP Foundation Class, Indigo SIP Server
& SDK and its Indigo Communications Server & SDK are NOT VULNERABLE to
DoS and other attacks simulated by the PROTOS Vulnerability Assessment Test
Suite.
References
[1] CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP), http://www.cert.org/advisories/CA-2003-06.html
[2] Vulnerability Note VU#528719, http://www.kb.cert.org/vuls/id/528719
[3] OUSPG PROTOS Test-Suite: c07-sip, http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
[4] RFC 3261 �SIP: Session Initiation Protocol�, http://www.ietf.org/rfc/rfc3261.txt?number=3261
, IETF, June 2002
|
|