The software vulnerability life cycle starts with a newly discovered or published vulnerability and ends when machines are patched. In practice, however, all machines will never be patched, so vulnerabilities are tracked as a half-life, when for example half of vulnerable hosts are patched. According to Qualys, the current half-life for Internet-facing hosts is 19 days, down from 30 days a couple of years ago. However, we lose this race to the hackers as the average latency now is only six days from discovery to attacks. It is important to note that 80 per cent of attacks occur during the first half-life. So if you are a target – and government departments are – you had better be patched or shield for a known vulnerability right away.
VoIP software vulnerabilities
Along with shrinking intervals, the discovery rate for vulnerabilities continues to increase, recently averaging more than 100 a week. While software such as Internet Explorer has been a favourite target for vulnerability researchers, VoIP vulnerabilities are now starting to make it on the lists. For example, July 2006 was a big month for browsers, with HD Moore (the co-founder of the Metasploit Network, a well known vulnerability exploit testing tool) releasing proof-of-concept exploit code for one browser flaw per day for the month of July. However, also in July was the publication of the SIPfoundry sipXtapi Buffer Overflow vulnerability, which garnered the maximum rating of 10 on the common vulnerability scoring system (CVSS). This rating is reserved for the most critical problems.
New VoIP vulnerability and the PAL team
When Dave Gibson, an engineer in the the PAL team, arrived at work on the morning of July 10, he started his day with the usual scan of Internet feeds that report on vulnerability discoveries. The sipXtapi issue caught is attention. He noted the reported maximum severity level, and quickly scanned sources to obtain more details. He learned that it was of the most common variety, a buffer overflow flaw, but this particular one was dangerous because it was remotely exploitable. This means the attacker can get the vulnerable host to run arbitrary code. This exploit code would typically be a small program that would subsequently download more code under remote control. For the hacker to exploit this vulnerability, it is a rather simple matter of sending a specially crafted message to the machine; then the hacker owns it.
The PAL team understood that this vulnerability scored the maximum rating because the software was widely deployed, combined with the ease of carrying out an exploit. In this case, the code was part of the SIPfoundry project, an open source library dedicated to accelerating the adoption of the SIP protocol. As such, this library is used in many SIP products from multiple vendors. Vulnerable systems were any product that used this library that compiled before March 24 2006. At the time it included several common applications, including PingTel products and AOL’s Triton Instant Messaging application. The SIP protocol is finding its way in numerous multimedia applications, including instant messaging applications, and these may have large installed bases that could render potentially millions of PCs vulnerable.
In parallel with understanding the nature of the problem, the team looked at what software used this library, to determine whether the vulnerability affected telecommunications infrastructure.
In an attack, how can you protect vulnerable VoIP systems?
When investigating the sipXtapi problem, the PAL team verified the vulnerability on affected systems by launching exploit code and observing the result. In this case the job was made easier as the Internet postings conveniently included a “proof of concept” example of exploit code.
The team decided to try a test run on a new tool the lab was evaluating as a shielding element for exactly this type of incident. The tool is a host-based intrusion prevention system (HIPS) based on deep packet inspection. This is a relatively new approach in detecting and neutralizing malware, using software that incorporates an inspection firewall with rules for deep packet inspection that only allows correctly formatted protocols through, thus blocking attacks. This software resides at the driver level on various hosts and endpoints that run VoIP software.
Other mitigation approaches were considered. In this case, a firewall rule to block the port could not be used, as the protocol must be allowed though. Patching could be problematic, given the widespread application base that uses this library. Waiting for the anti-virus vendors to update signatures after exploits appear in the wild leaves systems exposed for some time. Along with being slow and reactive, another risk is being hit with a targeted attack that runs with a low enough infection rate to stay off the anti-virus signature radar. A filter update for IPS, on the other hand, is much more proactive, as one shield update provides protection for an unlimited number of future attacks on the same vulnerability. This means your application is protected and you stay ahead of the hacker exploit cycle. When the vulnerable software is finally patched, the particular filter for the IPS system can be removed.
Brian O’Higgins ( brian.ohiggins@thirdbrigade.com ) is CTO of Third Brigade, an Ottawa-based security company that provides host-based intrusion prevention solutions.
Read about the state of security and emergency services in Canada
Learn about Government Security