3com NBX IP phone system Denial of Service Attack

Systems: 3com NBX IP Phone Call manager, FW Versions through 4_1_21
Severity: Critical
Category: Denial of Service
Classification: Boundary Condition Error
BugTraq-ID: 6297
Vendor URL: www.3com.com, www.windriver.com
Author: Michael S. Scheidell, SECNAP Network Security
Original Release date: December 2nd, 2002
Notifications: (3com, WindRiver and CERT) Notified October 31st, 2002
Last contact with 3com: November 22nd, 2002
Attempted contact with 3com: April 15th, 2003
Last contact with WindRiver: December 6rd, 2002

Discussion: (From 3com's and WindRiver's web site)

3Com® SuperStack® 3 NBX® and 3Com NBX 100 networked telephony solutions offer wide-ranging price/performance alternatives to fit your business needs today and tomorrow. 3Com® SuperStack® 3 NBX® Networked Telephony Solution Delivers robust, full-featured business communications for up to 1500 devices (lines/stations) Ensures high system availability with the Wind River VxWorks real-time operating system (also used in pacemakers and artificial hearts), so server and PC downtime does not impact your telephone service.

VxWorks and pSOSystem are the most widely adopted real-time operating systems (RTOSs) in the embedded industry -- for good reason. They are flexible, scalable, reliable, and available on all popular CPU platforms. They are also, by most measures, the fastest RTOSs available today.

Exploit: It was possible to make the remote FTP server crash by issuing this command :

CEL aaaa[...]aaaa where string is 2048 bytes long. This can be done with netcat, a windows client by telnetting to the nbx server on port 21 or by running the vxworks_ftpd.nasl test in nessus (www.nessus.org)

The 3com NBX uses VXWORKS Embedded Real time Operating system and what appears to be their own internal ftp server. This buffer overflow problem seems to be one similar to the AIX ftpd reported in CVE 1999-0789 and has been assigned bugtraq id 6297

By sending a specific string of data to the ftp server, an attacker can not only disable the ftp server, but the integrated web based administrative console and the call manager preventing diagnostics, control and all incoming, outgoing or internal calls. Any calls in progress cannot be disconnected, and in the case of long distance calls, could result in excessive long distance bills and extended loss of use of the phone system.

This condition is not recovered without a Hard reboot (power off/on). Since the 3com nbx is based on an embedded Unix operating system (vxworks), an abrupt power off could cause loss of data, including corruption of voice mails in progress or logs.

A company who uses the VoIP features for remote locations, and who has the call manager located on the outside of their firewall, or has no firewall can have their voice communications disrupted easily. Even if the company has the call manager located on internal network, people with internal network access can also disrupt communications. We have tested 3com nbx firmware version 4_0_17 (with ftpd version 5.4) and nbx firmware version 4_1_4 and 4_1_21 (ftpd version 5.4.2) and this bug seems to be present in all three systems.

3com Response:
3com confirmed problem and received a field patch, TSR(296292) from WindRiver to address the problem. Neither WindRiver nor 3com has provided a test bed or access to a fixed system for us verify fix. 3com will be working to integrate this TSR into a future release of the nbx build but has no date yet for release. Also, since ftpd is only used for debugging and diagnostics, a future firmware will allow the administrator the ability to turn off ftpd if not used.
We contacted 3com on Febuary 28th and March 14th to obtain above firmware and then again on April 15th to report that Firmware 4_1_21 did not yet fix the problem.
No response from 3com yet.

VxWorks Response:
The defect has been corrected. A solution has been provided to and is being used by 3COM. We will be providing an update to CERT. We also plan to issue patches to our population of customers for Tornado 2.0.2 / VxWorks 5.4 and Tornado 2.2 / VxWorks 5.5. Testing on all CPU architecture platforms for T2.0.2 and T2.2 is started now and we anticipate the patch for T2.0.2 to be completed before Christmas and T2.2 by mid-Jan, 2003

Solution:
Please contact vendor once new software is released

Workaround:
There appears to be no way to turn off the built in ftp server in this version of the software, nor any way to do ip address limits via tcp wrapper or acls. The only way we know of to prevent a denial of service attack on the 3com nbx is to place it behind its own firewall. If call manager is placed on the Internet side of the firewall or in the DMZ, care should be taken to prohibit any access to ftp port (tcp port 21) This may be impossible on an internal network unless 3com nbx is itself placed behind a firewall, or on a separate VLAN or network segment. Care should be taken in this approach, since some firewalls may interfere with the VoIP operations.

see "Firewall limits vex VoIP users" at Nwfusion

Credit:
This problem was originally found during a routine security audit by Michael Scheidell, SECNAP Network Security, www.secnap.com using the Nessus vulnerabilities scanner. Additional assistance by Leonid Rosenboim [lr2 at actcom.co.il] in verifying that this may be an old bug, already fixed in current vxworks sources but might not have been tested by 3com yet.

Additional Information:
A tcpdump/pcap packet of the exploit and ftpd/nbx response can be found at http://www.secnap.com/private/nbx.pcap
If you have snort or ISS's trons IDS, a signature to detect this attack can be found at on www.snort.org

To test your systems for this vulnerability, you can use Nessus at www.nessus.org. Either update your signatures, or download this nessus signature: vxworks_ftpd.nasl

Original copy of this report can be found here
<www.secnap.com/press-room/first-alerts/3com-nbx-dos.html>

Copyright:
Above Copyright(c) 2002, 2003 SECNAP Network Security, LLC. World rights reserved.

This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security, LLC. Additional information or permission may be obtained by contacting SECNAP Network Security at 561-999-5000