Saturday, February 23, 2008

SIP vulnerabilities - Different types

There are many vulnerabilities being discovered in SIP implementations - SIP UA, SIP Proxy and even in SIP Border session controllers. Based on review of some of the vulnerability reports they can be categorized to different types.
  • Buffer overflow attacks in
    • SIP request first line fields - method, URI and version.
    • SIP response first line fields - version, status code and reason phrase
  • Duplicate header fields
    • SIP header fields
    • SDP fields
  • Missing header fields
    • SIP header fields
    • SDP fields
  • Invalid data in the
    • SIP header field names
    • SIP header field values
    • SDP field names
    • SDP field values.
  • Short messages
    • SIP request message size
    • SIP response message size
IPS/IDS devices can do job of detecting attacks exploiting above types of vulnerabilities without false positives only if they have rich set of SIP intelligent syntax in their rule language.

Many IDS/IPS devices do support detection of traffic anomaly with respect to traffic rate, connection rate etc.. They also support detection of protocol anomalies. SIP protocol is text based protocol and SIP standard does not specify the length limits for start line fields, header field names and values. Due to its flexibility, protocol (RFC) violation detection is limited. To beef up the anomaly detection, I believe that IPS/IDS devices should support detection of protocol content anomalies for zero day detection (if not protection). At the minimum, content anomaly detection should include first line fields. SIP header fields and SDP fields. Since there is no standard on limits, IDS/IPS devices should provide flexibility for administrator to change the anomaly rules. IT departments can tune these rules based on the deployment requirements.

This anomaly detection is kind of first alert system. Upon alert, security professionals can find out the intentions of the attackers and take further actions such as beefing up the security by creating newer, stringent rules, patching the victim systems and updating their honeypot configuration for tracking the attackers etc..

Any anomaly detection should have some baseline. I am not an expert on SIP devices and SIP deployments. Based on the type of vulnerabilities, I feel baseline and associated rules to detect anomalies can be created (by security professionals or signature developers) by some guidelines such as:
  • For each field in start line, SIP header and SDP fields
    • Determine all possible values for fields.
    • Determine typical lengths of field names.
    • Determine typical lengths of field values.
    • Determine typical set of characters observed normally
  • Determine typical header fields that normally exist in SIP requests and responses.
  • Determine header fields which are normally unique.
Create rules to detect any anomalies based on above baseline. Also, it is necessary to detect SQL injections and XSS injections by validating the field names and values.

No comments: