Testing SIP Security on a Budget, Part 1: Page 3

Bug-hunting

Figure 6. Nessus SIP Checks Click to see full size image

Once an attacker determines the VoIP device type—and perhaps a valid login—he can aim focused attacks at that target. As discussed in part 1, most network software has at least a few documented security flaws (i.e., Common Vulnerabilities and Exposures). Depending on the attacker's goal, exploits can be launched to cripple or crash the target, or even to run arbitrary code on the target. Vulnerability scanners are designed to find old, unpatched bugs and configuration errors that enable such exploits.

Nessus (left) is a general-purpose vulnerability scanner that can be used for node discovery, configuration auditing, asset profiling, and application vulnerability checks. Although Nessus 3 is a commercial product, Nessus 2 is still available as open-source for many platforms. Nessus can also be augmented with freely-available plug-ins (e.g., eStara SoftPhone detection, Asterisk vulnerability detection).

SiVuS (right) is a publicly available SIP-specific vulnerability scanner. It can discover and then probe SIP-capable components, analyzing message headers to determine whether targets are vulnerable to buffer overflows or Denial of Service (DoS) attacks.

SiVuS also looks for authentication vulnerabilities in SIP signaling messages and determines whether secure protocols like SIPS can be used. This example run found numerous unpatched vulnerabilities (one high severity; many low severity) in a Cisco VoIP phone. Note that each vulnerability is accompanied by a description and recommendation. SiVuS can also generate reports that document scan results (see figure).

VoIPauditLite (left) is a freely-available subset of the commercial VoIP network scanning appliance sold by VoIPShield. Lite operates as a virtual appliance under VMware, running a fixed set of checks pulled from VoIPShield's database of Avaya, Cisco, Microsoft, and Nortel vulnerabilities. VoIPauditLite can discover, periodically scan, and report on "VoIP Assets." Note, however, that Lite's vulnerability database will grow stale unless you subscribe to VoIPShield's Update service.

This article was first published on VoIPPlanet.com.