Systems: 3com NBX IP VOIP NetSet® Configuration Manager Severity: Serious Category: Denial of Service Classification: Insufficient user input checking BugTraq-ID: TBD CERT VU#: TBD CVE ID: TBD Vendor URL: www.3com.com Author: Michael S. Scheidell, SECNAP Network Security Corporation Original Release date: April 20, 2004 Notifications: 3com Notified via email April 20, 2004, no response Last contact with 3com: NA
Discussion: From 3com's web site:
3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions offer wide-ranging price/perf ormance alternatives to fit your business needs today and tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony Solution Delivers ro bust, full-featured business communications for up to 1500 devices (lines/stations) Ensures high system availability with the Win d River VxWorks real-time operating system (also used in pacemakers and artificial hearts), so server and PC downtime does not impact yo ur telephone service.
Exploit: It was possible to make the remote Virata-EmWeb/R6_0_3 server (the NBX Netset application) c rash by running a standard nessus scan in safeChecks mode. Note: Saftchecks mode only does web queries, XSS, etc..
The 3com NBX uses VXWORKS Embedded Real time Operating system and what appears to be Virata-EmWeb/R6_ 0_3 web server. this web server is used by the NetSet configuration program to update/reboot/backup/configure and check status on th e 3com NBX VPIO call manager. It is also used by each phone user to change speed dial numbers, configure call forwarding and othe r features of their individual phone sets. By running the nessus vulnerabilities scanner, in safeChecks mode, a hacker or user can disable the Netset status, Call detail functions, maintenance functions, including the ability to 'soft boot' system. Note: you may still be able to connect a 9600 baud terminal to the 3com NBX Call Manager and soft boot system, but this requires physical access a nd would need to be done each and every time someone ran nessus. Also note, that with the proliferation of web based attacks on t he net lately, and the fact that the nessus tests are just a 'safe' version of these exploits, thi! s creates a serious problem for the NBX.
Also note, that the NBX is NOT SIP, but rather uses 3com proprietary multi-cast protocol, an enterpri se that deploys the 3com VOIP NBX system and expects to use the functions on a remote phone must either use a Multicast VPN router (rare and expensive), or place the NBX on the outside of the firewall. Also, there is no ability to keep hackers and crackers from connecting to the 'open/bare' nbx call manager web port via ip access control lists on the nbx. A quick google search will find s everal 3com nbx systems with the Call manager exposed.
This condition is not recovered without a Hard reboot (power off/on). Since the 3com nbx is based on an embedded Unix operating system (vxworks), an abrupt power off could cause loss of data, including corruption of voice mails in prog ress or logs.
A company who uses the VoIP features for remote locations, and who has the call manager located on th e outside of their firewall, or has no firewall can have their VOIP management functions disrupted easily. Even if the company ha s call manager located on internal network, people with internal network access can also disrupt communications.
We have tested 3com nbx firmware version 4_2_7 (with embedded web server Virata-EmWeb/R6_0_3).
3com should have had in place the ability to test their new software versions in QA, especially since they know, or should know that these systems can be exposed to attack from the internet. 3com has known since at least October 200 2 when we informed them of the security problems with the built in ftp server. We have asked 3com several times since then for upd ated copies of the firmware to address the problem, and for us to test but have not had a response from 3com since December, 2002.
Update/Workaround: no workaround found. No way to change the default port to 'hide' this vulnerable server. Place server on VLAN and restrict access. Do not use NBX VOIP for remote offices or phones unless you have a MultiCast c apable VPN or private VPN.
3com Response: None
Solution: Please contact vendor for new firmware when they fix it.
For a report on Security Risk Factors with IP Telephony based Networks see: Security_Risk_Factors_with_IP_Telephony_based_Networks Also reference article "is VoIP vulnerabl e ?"on NWfusion.com http://www.nwfusion.com/news/2002/0624voip.html
