<<< Date Index >>>     <<< Thread Index >>>

3com NBX VOIP NetSet Denial of Service Attack



Systems: 3com NBX IP VOIP NetSet(r) Configuration Manager
Severity: Serious 
Category: Denial of Service 
Classification: Insufficient user input checking
BugTraq-ID: TBD
CERT VU#: TBD
CVE ID: TBD
Vendor URL: www.3com.com
Author: Michael S. Scheidell, SECNAP Network Security Corporation
Original Release date: April 20, 2004
Notifications: 3com Notified via email April 20, 2004, no response
Last contact with 3com: NA

Discussion: From 3com's web site:

3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions offer 
wide-ranging price/performance alternatives to fit your business needs today 
and tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony Solution Delivers 
robust, full-featured business communications for up to 1500 devices 
(lines/stations) Ensures high system availability with the Wind River VxWorks 
real-time operating system (also used in pacemakers and artificial hearts), so 
server and PC downtime does not impact your telephone service. 

Exploit: It was possible to make the remote Virata-EmWeb/R6_0_3 server (the NBX 
Netset application) crash by running a standard nessus scan in safeChecks mode. 
 Note: Saftchecks mode only does web queries, XSS, etc..

The 3com NBX uses VXWORKS Embedded Real time Operating system and what appears 
to be Virata-EmWeb/R6_0_3 web server.  this web server is used by the NetSet 
configuration program to update/reboot/backup/configure and check status on the 
3com NBX VPIO call manager.  It is also used by each phone user to change speed 
dial numbers, configure call forwarding and other features of their individual 
phone sets.  By running the nessus vulnerabilities scanner, in safeChecks mode, 
a hacker or user can disable the Netset status, Call detail functions, 
maintenance functions, including the ability to 'soft boot' system.  Note: you 
may still be able to connect a 9600 baud terminal to the 3com NBX Call Manager 
and soft boot system, but this requires physical access and would need to be 
done each and every time someone ran nessus.  Also note, that with the 
proliferation of web based attacks on the net lately, and the fact that the 
nessus tests are just a 'safe' version of these exploits, this creates a 
serious problem for the NBX.

Also note, that the NBX is NOT SIP, but rather uses 3com proprietary multi-cast 
protocol, an enterprise that deploys the 3com VOIP NBX system and expects to 
use the functions on a remote phone must either use a Multicast VPN router 
(rare and expensive), or place the NBX on the outside of the firewall.  Also, 
there is no ability to keep hackers and crackers from connecting to the 
'open/bare' nbx call manager web port via ip access control lists on the nbx.  
A quick google search will find several 3com nbx systems with the Call manager 
exposed.

http://ipphone.cybertown.co.at/
http://telephone.michiganaerospace.com/
http://nbxss3.shoreschool.org/

This condition is not recovered without a Hard reboot (power off/on). Since the 
3com nbx is based on an embedded Unix operating system (vxworks), an abrupt 
power off could cause loss of data, including corruption of voice mails in 
progress or logs. 

A company who uses the VoIP features for remote locations, and who has the call 
manager located on the outside of their firewall, or has no firewall can have 
their VOIP management functions disrupted easily. Even if the company has call 
manager located on internal network, people with internal network access can 
also disrupt communications. 

We have tested 3com nbx firmware version 4_2_7 (with embedded web server 
Virata-EmWeb/R6_0_3).

3com should have had in place the ability to test their new software versions 
in QA, especially since they know, or should know that these systems can be 
exposed to attack from the internet.  3com has known since at least October 
2002 when we informed them of the security problems with the built in ftp 
server.  We have asked 3com several times since then for updated copies of the 
firmware to address the problem, and for us to test but have not had a response 
from 3com since December, 2002.

See http://www.secnap.com/security/nbx001.html for details of previous DOS 
problems with 3com nbx system)

Update/Workaround:  no workaround found.  No way to change the default port to 
'hide' this vulnerable server.  Place server on VLAN and restrict access.  Do 
not use NBX VOIP for remote offices or phones unless you have a MultiCast 
capable VPN or private VPN.

3com Response: None

Solution: 
Please contact vendor for new firmware when they fix it.

For a report on Security Risk Factors with IP Telephony based Networks 
see: 
Security_Risk_Factors_with_IP_Telephony_based_Networks Also reference article 
"is VoIP vulnerable ?"on NWfusion.com 
http://www.nwfusion.com/news/2002/0624voip.html 

see "Firewall limits vex VoIP users" at Nwfusion 
http://www.nwfusion.com/news/2002/0625bleeding.html 

For earlier problems with 3com NBX, ftp denial of service attack, see 
http://www.secnap.com/security/nbx001.html
Credit: 
This problem was originally found during a routine security audit by Michael 
Scheidell, SECNAP Network Security, www.secnap.com using the Nessus 
vulnerabilities scanner, www.nessus.org., 

Additional Information: 

To test your systems for this vulnerability, you can use Nessus at 
www.nessus.org. 
Select default scan runs.

Original copy of this report can be found here 
<http://www.secnap.net/security/20040420.html> 

Copyright: 
Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights 
reserved. 

This security report can be copied and redistributed electronically provided it 
is not edited and is quoted in its entirety without written consent of SECNAP 
Network Security Corporation. Additional information or permission may be 
obtained by contacting SECNAP Network Security at 561-368-9561 or www.secnap.com