----------------------------------------------------------------------

Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.

The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,700 different Windows applications.

Request your account, the Secunia Network Software Inspector (NSI):
http://secunia.com/network_software_inspector/

----------------------------------------------------------------------

TITLE:
Nortel Products Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA27234

VERIFY ADVISORY:
http://secunia.com/advisories/27234/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information, DoS

WHERE:
>From local network

OPERATING SYSTEM:
Nortel Business Communications Manager 50
http://secunia.com/product/16189/
Nortel Multimedia Communication Server 5100
http://secunia.com/product/6792/
Nortel IP Phone 2000 Series
http://secunia.com/product/16186/
Nortel IP Phone 1100 Series
http://secunia.com/product/16185/
Nortel Communication Server 1000
http://secunia.com/product/2823/
Nortel Centrex IP Client Manager (CICM)
http://secunia.com/product/5892/
Nortel Business Communications Manager 4.x
http://secunia.com/product/15341/
Nortel Business Communications Manager 3.x
http://secunia.com/product/2822/
Nortel Audio Conference Phone 2033
http://secunia.com/product/16184/

SOFTWARE:
Nortel Multimedia Communication Server 5100 3.x
http://secunia.com/product/15893/
Nortel Mobile Voice Client 2050
http://secunia.com/product/16188/
Nortel IP Softphone 2050
http://secunia.com/product/16187/
Nortel Multimedia Communication Server 5100 4.x
http://secunia.com/product/14612/

DESCRIPTION:
Some vulnerabilities have been reported in various Nortel products,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and to eavesdrop with affected devices.

1) The problem is that it is possible to send spoofed registration
messages to the server to which a UNIStim IP phone is connected,
forcing the IP phone to re-register. This can be exploited to cause a
DoS by continuously sending re-registration messages.

2) The problem is that it is possible to send spoofed "Open Audio
Stream" messages to an IP phone. This can be exploited to open an
audio channel and eavesdrop with the IP phone.

The vulnerabilities are reported in the following products (see
vendor advisory for details):
* BCM 4.0, BCM 3.7, BCM50
* SRG1.0, SRG1.5, SRG50
* CS1000/Meridian1
* IP Audio Conf Phone 2033
* IP Phone 1100 series
* IP Phone 200x
* IP Softphone 2050
* Mobile Voice Client 2050

NOTE: The IPCM used in CS2000 and CS2100 is not affected when the
UNIStim security protocol is enabled. The vendor still investigates
if MCS5100 and MCS5200 are affected by the vulnerability.

SOLUTION:
Apply patches (see vendor advisory for details).
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/42/022872-01.pdf
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/42/022870-01.pdf

PROVIDED AND/OR DISCOVERED BY:
Daniel Stirnimann and Cyrill Brunschwiler, Compass Security Network
Computing AG.

ORIGINAL ADVISORY:
Nortel:
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654641
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=654714

Compass Security Network Computing AG:
http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_forced_re-authentication_v1.0.txt
http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_surveillance_mode_v1.0.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------