---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Nortel Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27234 VERIFY ADVISORY: http://secunia.com/advisories/27234/ CRITICAL: Less critical IMPACT: Exposure of sensitive information, DoS WHERE: >From local network OPERATING SYSTEM: Nortel Business Communications Manager 50 http://secunia.com/product/16189/ Nortel Multimedia Communication Server 5100 http://secunia.com/product/6792/ Nortel IP Phone 2000 Series http://secunia.com/product/16186/ Nortel IP Phone 1100 Series http://secunia.com/product/16185/ Nortel Communication Server 1000 http://secunia.com/product/2823/ Nortel Centrex IP Client Manager (CICM) http://secunia.com/product/5892/ Nortel Business Communications Manager 4.x http://secunia.com/product/15341/ Nortel Business Communications Manager 3.x http://secunia.com/product/2822/ Nortel Audio Conference Phone 2033 http://secunia.com/product/16184/ SOFTWARE: Nortel Multimedia Communication Server 5100 3.x http://secunia.com/product/15893/ Nortel Mobile Voice Client 2050 http://secunia.com/product/16188/ Nortel IP Softphone 2050 http://secunia.com/product/16187/ Nortel Multimedia Communication Server 5100 4.x http://secunia.com/product/14612/ DESCRIPTION: Some vulnerabilities have been reported in various Nortel products, which can be exploited by malicious people to cause a DoS (Denial of Service) and to eavesdrop with affected devices. 1) The problem is that it is possible to send spoofed registration messages to the server to which a UNIStim IP phone is connected, forcing the IP phone to re-register. This can be exploited to cause a DoS by continuously sending re-registration messages. 2) The problem is that it is possible to send spoofed "Open Audio Stream" messages to an IP phone. This can be exploited to open an audio channel and eavesdrop with the IP phone. The vulnerabilities are reported in the following products (see vendor advisory for details): * BCM 4.0, BCM 3.7, BCM50 * SRG1.0, SRG1.5, SRG50 * CS1000/Meridian1 * IP Audio Conf Phone 2033 * IP Phone 1100 series * IP Phone 200x * IP Softphone 2050 * Mobile Voice Client 2050 NOTE: The IPCM used in CS2000 and CS2100 is not affected when the UNIStim security protocol is enabled. The vendor still investigates if MCS5100 and MCS5200 are affected by the vulnerability. SOLUTION: Apply patches (see vendor advisory for details). http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/42/022872-01.pdf http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/42/022870-01.pdf PROVIDED AND/OR DISCOVERED BY: Daniel Stirnimann and Cyrill Brunschwiler, Compass Security Network Computing AG. ORIGINAL ADVISORY: Nortel: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654641 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654714 Compass Security Network Computing AG: http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_forced_re-authentication_v1.0.txt http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_surveillance_mode_v1.0.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------