FrSIRT, the French Security Incident Response Team, has reported that multiple vulnerabilities have been identified in various IP-PBX software applications that can be exploited by attackers to bypass security restrictions and cause denial of service attacks or otherwise compromise vulnerable systems. The software is used by an ever increasing number of companies in order to computerise their telephone switchboard systems and implement low cost Internet calls.
A number of issues have been highlighted by FrSIRT, including a buffer overflow error in the RTP payload handling code when processing a malformed INVITE or SIP packet with SDP. This could be exploited in order to execute arbitrary code. There is also a report of an error in the SIP channel driver itself when handling invalid "From" headers, which could be exploited to perform unauthenticated calls.
"Recent reports suggest that as many as 50 per cent of major companies are using Internet telephony services as a way of cutting their telecommunications costs, but our analysis is that they also need to review their IP telephony security arrangements as well" Rob Rachwald, Fortify Software's director of product marketing told us, adding "the buffer overload problem in the RTP payload handling code when dealing with a malformed INVITE or SIM packet with SDP, is, we predict, one of several buffer-based security problems you're going to see with company IP telephony systems in the near future. Most companies have installed multi-layered security technology on their computer network, but IP telephony services almost always escape the scrutiny of the IT security systems in place to protect a company's computers and network technology. That situation will change, we predict, as hackers from the criminal side of things start to realise the revenue potential from hacking into company PBXs and then hack for monetary gain from that route."