CPE SIP Products

4.SIP Secure Connection Vulnerability:

 

Product

MP-11x

 

MP-124

 

 

 

Mediant 600

 

Mediant 1000

 

 

 

Mediant 800 MSBG

 

Mediant 1000 MSBG

 

 

 

Mediant 2000

 

 

 

 

 

Mediant 3000/TP-6310

 

Mediant 3000 HA/TP-6310

 

 

 

Mediant 3000/TP-8410

 

Mediant 3000 HA/TP-8410

 

 

 

 

Management Protocol

 

 

 

Web

INI

SNMP

EMS

CLI

This feature provides support for securing the device’s resources against SIP spam and invalid SIP messages:

Securing memory resources:

Socket Resource Abuse: Connections that are established without subsequent data transmission are released (after one minute), allowing the establishment of new connections.

Established Connection Flood: The device detects and subsequently discards any flood of “false” connections (which typically prevents establishment of new legitimate connections). The device effectively manages its socket resources, releasing unused sockets for required connections.

CPU:

Loop-Amplification Scenario: The device prevents routing between its interfaces. The attacker needs to convince the device to re-write a request to a location, which resolves to the device itself. This can be done if the routing is according to the SIP Request-URI header and the address specified is the device’s IP address. This results in the server over loading itself. Another method for creating loops is through a SIP proxy to which the device routes and this proxy routes it back to the device.

For MSBG products, the SBCMaxForwardsLimit parameter is used to limit the SIP Max-Forwards header value.

Malformed SIP Requests: Malformed SIP message requests are typically sent to cause false, expensive SIP parsing, thereby wasting CPU resources. The device’s parsing has been significantly improved to detect malformed messages and to reject such messages in early parsing stages.

SIP Vulnerabilities:

General Parser Errors: Parser errors (invalid SIP messages) do not cause loss of service.

SIP Content-Length header greater than the message’s body: This can cause delayed or no service by causing a TCP to wait for that body to arrive.

-TCP: maximum message length is dictated.

-UDP: Content-Length is validated with the packet size. If the packet size is not as declared in the Content-Length header, only the actual body size is validated and the Content-Length header is ignored.

Invalid Content-Length header: The device ignores such messages.

Null characters are allowed only in the SIP message’s body according to the SIP ABNF. The device rejects messages that arrive with null characters in the headers part of the message. This ensures that the device doesn’t forward invalid messages that can be harmful to the internal network.

SIP Release Notes

20

Document #: LTRT-26901

Page 19 Page 21
Page 20
Image 20
AudioControl VERSION 6.2 manual SIP Secure Connection Vulnerability, Securing memory resources, Cpu, SIP Vulnerabilities
Page 19 Page 21
Top Page Image Contents