UCF STIG Viewer Logo

Devices and applications using SIP or AS-SIP signaling are vulnerable to a cross site scripting attack.


Overview

Finding ID Version Rule ID IA Controls Severity
V-21513 VVoIP 1980 (GENERAL) SV-23722r1_rule Medium
Description
A cross site scripting vulnerability has been demonstrated in at least one SIP based IP phone. The vulnerability was demonstrated by adding scripting code to the From: field in the SIP invite. Upon receiving the invite, the embedded code was executed by a “vulnerable embedded web server” to download additional malicious code and affect an attack. A desktop demonstration of the vulnerability also exists on www.securityfocus.com under Bugtraq ID: 25987 that benignly pops up an alert box containing the word “HACK” on the user’s workstation after downloading a SIP invite. While this vulnerability was demonstrated on a specific IP phone it could potentially affect all SIP based endpoints or clients and their signaling partners. This vulnerability is a result of improper filtering or validation of the content of the various fields in the SIP invite and potentially the Session Description Protocol (SDP) portion of the invite. The injected code could cause all sorts of malicious code to be run on the target device which could be an endpoint (hard or soft), a session controller, or any other SIP signaling partner. Additionally this vulnerability may affect other applications other than VoIP that use SIP such as IM clients and others. A similar vulnerability would result if URLs embedded in SIP messages were launched automatically.
STIG Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE 2010-08-17

Details

Check Text ( C-25755r1_chk )
Validate compliance with the following requirement:

In the event SIP or AS-SIP is used for session signaling, ensure the SIP/AS-SIP/SDP interpreter/parser filters and validates the information in the signaling message fields such that the application does not process scripting statements of any kind or URLs embedded in the SIP message or the SDP packets.

Obtain documentation from the system/device vendor proving that the system/device is not vulnerable to this exploit or how this vulnerability is mitigated. The IAO should maintain such documentation for inspection during a review.

NOTE: a tool is needed to validate or test for compliance this requirement. Such a tool would need to send SIP or AS-SIP invites as used in the particular system under test containing scripting code. The tool would need to send repeated invites while embedding the scripting code into different message fields.


Fix Text (F-22301r1_fix)

Implement, patch, or upgrade SIP/AS-SIP signaling agents (endpoints (hard or soft), session controllers, or any other SIP signaling partner or application that uses SIP) such that the SIP/AS-SIP/SDP interpreter/parser filters and validates the information in the signaling message fields such that the application/device does not process scripting statements of any kind or URLs embedded in the SIP message or the SDP packets.

Obtain documentation from the system/device vendor proving that the system/device is not vulnerable to this exploit or how this vulnerability is mitigated. The IAO should maintain such documentation for inspection during a review. If necessary configure the system/device in accordance with the vendor mitigations.

Alternately Disable the ability of script engines or web browsers/servers on the system/device to process script code or URLs surreptitiously embedded in SIP/AS-SIP/SDP messages.