Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
problem in voip environment
From: Pasquiet Loic (M.) (Loic.PasquietPolytechnique.fr)
Date: Sat Sep 11 2004 - 15:53:44 CDT
Security issues have been identified that allows an attacker to
compromise ip phones.
We are testing voip solutions and here's what we've found :
take a layer 2 switch, here, an avaya cajun switch like P33xT or
P334T-ML (layer 2).
configure 2 ports like it's recommended in voip, like this :
a vlan id x on port 1 and a vlan-static-bindig id y for telephony (x is
the pvid is or native vlan or default vlan)
a vlan id x on port 2 and a vlan-static-bindig id y for telephony
we are in mode access so ports are not 802.1q or in trunk mode ...
plug an ip phone on port 1 in 10.10.10.10/24
plug a PC on port 2 in 10.10.10.11/24 (the pc doesn't tag his frames)
(if you plug the PC behind another ip phone, the result is the same)
try to ping the ip phone ... it's ok.
You can now easily flood all ip phones on the same switch or the entire
3. Affected products
Avaya Cajun P33xT , P33xT-ML and more ?
Actually in the product house for Avaya.
With other switch, we know that you can bypass this hole by activate a
'untagpvidonly' command on the ports 1 et 2
or something equivalent according to constructors ...
In trunk mode or in full 802.1q mode, we can do the 'same' thing by
simply tagging frames from your PC.
So, you are in telephony vlan ...
We are also interesting in deployment experience and the response about
fully tagging ports or not ...