CERTVU:528719Multiple implementations of the Session Initiation Protocol (SIP) contain multiple types of vulnerabilities
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
92.2%
Overview
Oulu University has discovered a variety of vulnerabilities affecting products that implement the Session Initiation Protocol (SIP). These vulnerabiltites affect a wide variety of products, with impacts ranging from denial of service to execution of arbitrary code. SIP is used in Voice Over Internet (VoIP), instant messaging, telephony, and various other applications and devices.
Description
The Oulu University Secure Programming Group (OUSPG) has discovered a variety of vulnerabilities in multiple implementations of the Session Initiation Protocol (SIP). OUSPG has previously conducted research into vulnerabilities in various protocol implementations, including LDAP, culminating in CERT Advisory CA-2001-18 and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG has again asked us to coordinate with them in letting affected vendors know of their findings.
The Session Initiation Protocol (SIP) is a signaling protocol for various instant messaging, Voice Over Internet Protocol (VoIP), and other telephony applications. OUSPG has focused on a subset of SIP as the subject protocol for vulnerability assessment. Information about SIP can be found on the IETF Charter page for SIP. OUSPG is has released the results of their investigations to the public. More details may be found in CERT Advisory CA-2003-06.
Impact
Impacts range from unexpected system behavior and denial of service to execution of arbitrary code.
Solution
Upgrade or apply the patches as specified by your vendor.
Vulnerable applications supporting the Session Initiation Protocol (SIP) may have access blocked at a network perimeter on ports 5060/tcp and 5060/udp.
Vendor Information
528719
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Alcatel __ Affected
Notified: October 30, 2002 Updated: March 06, 2003
Status
Affected
Vendor Statement
Following CERT advisory CA-2003-06 on security vulnerabilities in SIP implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the OmniPCX Enterprise 5.0 Lx is impacted. Alcatel is currently working on a fix that will be made available via our business partners. Customers may wish to contact their support for more information. The security of our customersā networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential SIP security vulnerabilities and will provide updates if necessary.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Cirpack __ Affected
Updated: March 13, 2003
Status
Affected
Vendor Statement
Cirpack Switches <<http://www.cirpack.com/products>> deployed by telecom service providers for carrier-class SIP voice services are not vulnerable to problem described in VU#528719 as of software version = 4.3c. If your Cirpack switches use earlier software version, please contact your Cirpack account manager.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Cisco Systems, Inc. __ Affected
Notified: October 30, 2002 Updated: February 21, 2003
Status
Affected
Vendor Statement
Cisco Systems is addressing the vulnerabilities identified by VU#528719 across its entire product line. Cisco has released an advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Columbia SIP User Agent (sipc) __ Affected
Updated: February 25, 2003
Status
Affected
Vendor Statement
Sipc (version 1.74) contains vulnerabilities identified by OUSPG PROTOS SIP Test Suite. The vulnerabilities have been resolved in sipc (version 2.0, build 2003-02-21). Please see sipc (version 1.74) vulnerabilities found by PROTOS SIP Test Suite for detailed information.
We strongly advice to upgrade to sipc version 2.0, which is much more stable, has much better user interface and can perform more functions.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
DynamicSoft Inc __ Affected
Notified: November 26, 2002 Updated: February 27, 2003
Status
Affected
Vendor Statement
Please see <http://www.dynamicsoft.com/support/advisory/ca-2003-06.php>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
IPTel __ Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Affected
Vendor Statement
All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from <http://www.iptel.org/ser/security/> before installation and keep on watching this site in the future. We apologize to our users for the trouble.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
This is resolved in SIP Express Router version 0.8.10. Available from the download section on iptel.org.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Ingate Systems __ Affected
Updated: March 07, 2003
Status
Affected
Vendor Statement
Ingate Firewall and Ingate SIParator running versions prior to 3.1.3 are vulnerable to problems exposed by the PROTOS c07-sip test suite. The vulnerabilities have been fixed in version 3.1.3, which is available for download from <http://www.ingate.com/upgrades/>. We strongly advice to upgrade to version 3.1.3.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Mediatrix Telecom Inc __ Affected
Updated: May 09, 2003
Status
Affected
Vendor Statement
Tests developed by the University of Oulu and performed by Mediatrix Telecom Inc on Mediatrix VoIP Access Devices and Gateways have uncovered vulnerabilities, as per CERT vulnerability note VU#52789, that will be eliminated through software patches with the following availabilities:
- By March 21 for Mediatrix units running the SIPv2.4 firmware.
- By April 11 for Mediatrix units running the SIPv4.3 firmware.
Additional information on Mediatrix Telecom Inc products are available at .
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Nortel Networks, Inc. __ Affected
Notified: October 30, 2002 Updated: July 24, 2003
Status
Affected
Vendor Statement
Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite:
Succession Communication Server 2000 and Succession Communication
Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February.
For further information about Nortel Networks products please contact Nortel Networks Global Network Support.
North America: 1-800-4-NORTEL, or (1-800-466-7835)
Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions available at the Global Contact <> web page.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Pingtel __ Affected
Notified: October 30, 2002 Updated: March 24, 2003
Status
Affected
Vendor Statement
Pingtel has verified that the current versions of software for the Pingtel xpressa desk phone and instant xpressa softphone products, Release 2.1.6, are not vulnerable to any of the tests developed by the University of Oulu and described in CERT Vulnerability Note VU#528719.
Pingtel strongly encourages its customers to use Version 2.1.6. Existing customers may upgrade to this software, free of charge. This software is available at <http://www.pingtel.com/s_upgrades.jsp>.
While the process of updating software for xpressa and instant xpressa can take a phone out of service for two minutes, Pingtel recommends that customers make the effort to stay current, if they arenāt already, by upgrading to Version 2.1.6 now. Earlier software revisions are vulnerable, making the use of any release prior to 2.1.6 inadvisable.
Customers that have any questions or concerns are welcome to contact the Pingtel Technical Assistance Center at any time by calling 781-938-5306, emailing [email protected], or going online at <http://support.pingtel.com>. Emergency cases are always handled 24 x 7 x 365.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
AOL Time Warner __ Not Affected
Notified: October 30, 2002 Updated: March 25, 2003
Status
Not Affected
Vendor Statement
Not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Apple Computer, Inc. __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Avaya __ Not Affected
Notified: October 30, 2002 Updated: February 25, 2003
Status
Not Affected
Vendor Statement
Avaya products are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Borderware __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Check Point __ Not Affected
Notified: October 30, 2002 Updated: March 06, 2003
Status
Not Affected
Vendor Statement
No Check Point products are vulnerable to the described attacks. FireWall-1 blocks the majority of the attacks described in this advisory through strict enforcement of the SIP protocol.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Clavister __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable.
We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received.
We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
F5 Networks, Inc. __ Not Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Not Affected
Vendor Statement
F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Foundry Networks Inc. __ Not Affected
Updated: March 25, 2003
Status
Not Affected
Vendor Statement
Foundry Networks, Inc. products do not use the SIP protocol and is not affected by the vulnerabilities described in CA-2003-06.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Fujitsu __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
With regards to VU#528719, Fujitsuās UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Hewlett-Packard Company __ Not Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Not Affected
Vendor Statement
Source:
Hewlett-Packard Company
Software Security Response Team
cross reference id: SSRT2402
HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable
To report potential security vulnerabilities in HP software,
send an E-mail message to:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Hotsip AB __ Not Affected
Updated: March 12, 2003
Status
Not Affected
Vendor Statement
Hotsip has investigated the issues reported in VU#528719 and found that Hotsip Active Contactsā¢ PC 3.x, SIP Application Server 3.x and Presence Engine 2.x are not affected by this.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Hughes Software Systems __ Not Affected
Notified: February 13, 2003 Updated: April 18, 2003
Status
Not Affected
Vendor Statement
SIP Core stack - Not Vulnerable [ Version : 5.0.1 ]
SIP User Agent - Not Vulnerable [ Version : 2.0 ]
microSIP stack - Not Vulnerable [ Version: 2.0 ]
microUser Agent - Not Vulnerable [ Version: 2.0 ]
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
IBM Corporation __ Not Affected
Notified: October 30, 2002 Updated: February 21, 2003
Status
Not Affected
Vendor Statement
SIP is not implemented as part of the AIX operating system.
The issues discussed in VU#528719 do not pertain to AIX.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
IP Filter __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Indigo Software __ Not Affected
Updated: April 01, 2003
Status
Not Affected
Vendor Statement
Indigo Software certifies that its Indigo SIP Foundation Class, Indigo SIP Server & SDK and Indigo Communications Server & SDK products are NOT VULNERABLE to DoS and other attacks simulated by the PROTOS Vulnerability Assessment Test Suiteā. For more information, please refer to http://www.indigosw.com/html/cert_advisory.htm
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Intoto __ Not Affected
Notified: October 30, 2002 Updated: March 24, 2003
Status
Not Affected
Vendor Statement
Intoto, Inc has examined its SIP based product iGateway-VoIP Ver 1.0.1, for possible buffer overflow vulnerabilities documented in VU#528719, and found that iGateway-VoIP is not vulnerable to these attacks.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Juniper Networks, Inc. __ Not Affected
Notified: October 30, 2002 Updated: February 21, 2003
Status
Not Affected
Vendor Statement
Juniper Networks products are not SIP-aware, and neither generate, process, nor act as a proxy for SIP protocol messages. Therefore, Juniper Networks products are not susceptible to this vulnerability.
Customers wishing to use the packet filtering features of Juniper Networks products to block SIP protocol messages can visit the Juniper Networks product support web-site at <https://www.juniper.net/support/csc/> or they can contact Juniperās Technical Assistance Center by telephone at at 1-888-314-JTAC (U.S. customers only; non-U.S. customers should call JTAC at +1 408-745-9500.)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Kphone Not Affected
Notified: February 12, 2003 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Microsoft Corporation __ Not Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Not Affected
Vendor Statement
Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Mitel Networks, Inc. __ Not Affected
Updated: September 19, 2005
Status
Not Affected
Vendor Statement
Mitel SIP products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation __ Not Affected
Notified: October 30, 2002 Updated: May 20, 2003
Status
Not Affected
Vendor Statement
`=====================================================================
NEC vender statement for VU#528719
`
sent on May 20, 2003
[Server Products]
* EWS/UP 48 Series operating system
- is NOT vulnerable, because it does not support SIP.
[Router Products]
* IX 1000 / 2000 / 5000 Series
- is NOT vulnerable, because it does not support SIP.
[Other Network products]
* ``CX6820 Call Service Server Series (CA/SS/MD) V2.2
- is NOT vulnerable.
* CX7620-VG Media Server
- is NOT vulnerable.``* We continue to check our products which support SIP protocol. ``=====================================================================
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
NETBSD __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
NetBSD does not ship any implementation of SIP.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
NETfilter.org __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
As the linux 2.4/2.5 netfilter implementation currently doesnāt support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
NetScreen __ Not Affected
Notified: October 30, 2002 Updated: February 21, 2003
Status
Not Affected
Vendor Statement
NetScreen is not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Network Appliance __ Not Affected
Notified: October 30, 2002 Updated: February 18, 2003
Status
Not Affected
Vendor Statement
NetApp products are not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Nokia __ Not Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Not Affected
Vendor Statement
Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Novell, Inc. __ Not Affected
Notified: October 30, 2002 Updated: February 20, 2003
Status
Not Affected
Vendor Statement
Novell has no products implementing SIP.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Red Hat, Inc. Not Affected
Notified: October 30, 2002 Updated: February 19, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Secure Computing Corporation __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
SecureWorx __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Shoreline Communication Not Affected
Notified: November 07, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Stonesoft __ Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
Stonesoftās StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Symantec Corporation __ Not Affected
Notified: October 30, 2002 Updated: April 01, 2003
Status
Not Affected
Vendor Statement
Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
WatchGuard Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
eSoft Not Affected
Notified: October 30, 2002 Updated: February 17, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
3Com Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
AT&T Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Avici Systems Inc. Unknown
Notified: February 20, 2003 Updated: February 20, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Berkeley Software Design, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
COVERT Labs Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Cable and Wirless Unknown
Notified: February 20, 2003 Updated: February 20, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Compaq Computer Corporation __ Unknown
Notified: October 30, 2002 Updated: February 21, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Compaq Computer Corporation has merged with Hewlett-Packard.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Computer Associates Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Cray Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
D-Link Systems Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Data General Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Debian Linux Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
EZonics Unknown
Notified: February 13, 2003 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Engarde Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
FreeBSD, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Global Technology Associates Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
IBM-zSeries __ Unknown
Notified: October 30, 2002 Updated: February 24, 2003
Status
Unknown
Vendor Statement
zSeries customers should feel free to contact [email protected] with any CERT related security questions or concerns.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Intel Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Lachman Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Lockheed Martin Unknown
Notified: February 17, 2003 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Lotus Software Unknown
Notified: February 10, 2003 Updated: February 19, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Lucent Technologies __ Unknown
Notified: October 30, 2002 Updated: February 20, 2003
Status
Unknown
Vendor Statement
No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Mandriva, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Mandriva, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
MeetingHouse Data Communications Unknown
Notified: February 12, 2003 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
MontaVista Software, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Motorola Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
MySIP Unknown
Notified: February 13, 2003 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
NeXT Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
OpenBSD Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Openwall GNU/*/Linux Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Oracle Corporation Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Process Software Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
SGI Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
SUSE Linux Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Sequent Computer Systems, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Siemens Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Sony Corporation Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Sun Microsystems, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
The SCO Group (SCO Linux) Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
The SCO Group (SCO Unix) Unknown
Notified: October 30, 2002 Updated: February 18, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Unisys Unknown
Notified: October 30, 2002 Updated: March 26, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
University of Columbia Unknown
Notified: November 25, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Vegastream Unknown
Notified: February 13, 2003 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Wind River Systems, Inc. Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Wirex Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Xerox Corporation __ Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
Yahoo Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
ZYXEL Unknown
Notified: October 30, 2002 Updated: February 17, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23528719 Feedback>).
View all 94 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.ee.oulu.fi/research/ouspg/protos/>
- <http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/>
- <http://www.mediateam.oulu.fi/projects/redskins/?lang=en>
- <http://www.ietf.org/html.charters/sip-charter.html>
- <http://www.ietf.org/internet-drafts/draft-ietf-sipping-torture-tests-07.txt>
- <http://www.ietf.org/rfc/rfc3665.txt>
- <http://www.ietf.org/rfc/rfc3261.txt>
- <http://www.ietf.org/rfc/rfc2327.txt>
- <http://www.ietf.org/rfc/rfc2279.txt>
Acknowledgements
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities, for providing detailed technical analyses, and for assisting us in preparing this advisory. We would also like to acknowlede the āRedSkinsā project of āMediaTeam Ouluā for their support of this research.
This document was originally written by Jason A Rafail. Revisions were made by Jeffrey S. Havrilla.
Other Information
| CVE IDs: | CVE-2003-1108 |
|---|---|
| CERT Advisory: | CA-2003-06 Severity Metric: |
References
www.ee.oulu.fi/research/ouspg/protos/
www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
www.ietf.org/html.charters/sip-charter.html
www.ietf.org/internet-drafts/draft-ietf-sipping-torture-tests-07.txt
www.ietf.org/rfc/rfc2279.txt
www.ietf.org/rfc/rfc2327.txt
www.ietf.org/rfc/rfc3261.txt
www.ietf.org/rfc/rfc3665.txt
www.mediateam.oulu.fi/projects/redskins/?lang=en
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
92.2%