Vulnerability Name:

CVE-2007-5638 (CCN-42881)

Assigned:2007-10-18
Published:2007-10-18
Updated:2018-10-15
Summary:The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines, use only 65536 different values in the 32-bit ID number field of an RUDP datagram, which makes it easier for remote attackers to guess the RUDP ID and spoof messages.
Note: this can be leveraged for an eavesdropping attack by sending many Open Audio Stream messages.
CVSS v3 Severity:4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.9 Low (CCN CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N)
2.1 Low (CCN Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-310
CWE-200
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2007-5638

Source: OSVDB
Type: UNKNOWN
41770

Source: CCN
Type: SA27234
Nortel Products Multiple Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
27234

Source: SREASON
Type: UNKNOWN
3272

Source: CCN
Type: Nortel Technical Support Security Advisory Bulletin 2007008383
UNIStim IP Phone Remote Eavesdrop Potential Vulnerability

Source: CCN
Type: COMPASS SECURITY ADVISORY: October, 18th 2007
IP Phone Surveillance Mode

Source: MISC
Type: Exploit
http://www.csnc.ch/static/advisory/csnc/nortel_IP_phone_surveillance_mode_v1.0.txt

Source: CCN
Type: OSVDB ID: 41770
Nortel Multiple Products RUDP Datagram Prediction Message Spoofing

Source: BUGTRAQ
Type: UNKNOWN
20071018 Nortel IP Phone Surveillance Mode

Source: BID
Type: Exploit
26120

Source: CCN
Type: BID-26120
Nortel Networks Multiple UNIStim VoIP Products Remote Eavesdrop Vulnerability

Source: XF
Type: UNKNOWN
nortel-ipphone-unistim-audio-hijacking(37255)

Source: XF
Type: UNKNOWN
nortel-ipphone-audiostream-spoofing(42881)

Source: XF
Type: UNKNOWN
nortel-ipphone-audiostream-spoofing(42881)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nortel:multimedia_communication_server_5100:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:multimedia_communication_server_5200:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:nortel:communications_server:1000e:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:communications_server:1000m:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:communications_server:1000s:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:communications_server:2100:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_audio_conference_phone_2033:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1110:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1120e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1140e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1150e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2001:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2002:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2004:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2007:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2210:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2211:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2212:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_6120:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_6140:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:nortel:business_communications_manager:50:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:50a:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:50e:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:200:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:400:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:1000:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:srg50:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:srg200:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:centrex_ip_client_manager:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:centrex_ip_element_manager:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_11c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_51c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_61c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_81c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_sl100:cs2100:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:mobile_voice_client_2050:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nortel:meridian_option_11c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_51c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_61c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_option_81c:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:1000:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:200:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:400:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:50:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:50a:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:50e:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:srg200:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:business_communications_manager:srg50:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:mobile_voice_client_2050:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:meridian_sl100:-:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:centrex_ip_client_manager:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:centrex_ip_element_manager:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:nortel:cs1000e:-:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:cs1000m:-:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:cs1000s:-:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_audio_conference_phone_2033:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1110:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1120e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1140e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_1150e:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2001:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2002:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2004:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:ip_phone_2007:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2210:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2211:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_2212:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_6120:*:*:*:*:*:*:*:*
  • OR cpe:/h:nortel:wlan_handset_6140:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:multimedia_communication_server_5100:*:*:*:*:*:*:*:*
  • OR cpe:/a:nortel:multimedia_communication_server_5200:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    nortel multimedia communication server 5100 *
    nortel multimedia communication server 5200 *
    nortel communications server 1000e
    nortel communications server 1000m
    nortel communications server 1000s
    nortel communications server 2100
    nortel ip audio conference phone 2033 *
    nortel ip phone 1110 *
    nortel ip phone 1120e *
    nortel ip phone 1140e *
    nortel ip phone 1150e *
    nortel ip phone 2001 *
    nortel ip phone 2002 *
    nortel ip phone 2004 *
    nortel ip phone 2007 *
    nortel wlan handset 2210 *
    nortel wlan handset 2211 *
    nortel wlan handset 2212 *
    nortel wlan handset 6120 *
    nortel wlan handset 6140 *
    nortel business communications manager 50
    nortel business communications manager 50a
    nortel business communications manager 50e
    nortel business communications manager 200
    nortel business communications manager 400
    nortel business communications manager 1000
    nortel business communications manager srg50
    nortel business communications manager srg200
    nortel centrex ip client manager *
    nortel centrex ip element manager *
    nortel meridian option 11c *
    nortel meridian option 51c *
    nortel meridian option 61c *
    nortel meridian option 81c *
    nortel meridian sl100 cs2100
    nortel mobile voice client 2050 *
    nortel meridian option 11c *
    nortel meridian option 51c *
    nortel meridian option 61c *
    nortel meridian option 81c *
    nortel business communications manager 1000
    nortel business communications manager 200
    nortel business communications manager 400
    nortel business communications manager 50
    nortel business communications manager 50a
    nortel business communications manager 50e
    nortel business communications manager srg200
    nortel business communications manager srg50
    nortel mobile voice client 2050 *
    nortel meridian sl100 -
    nortel centrex ip client manager *
    nortel centrex ip element manager *
    nortel cs1000e -
    nortel cs1000m -
    nortel cs1000s -
    nortel ip audio conference phone 2033 *
    nortel ip phone 1110 *
    nortel ip phone 1120e *
    nortel ip phone 1140e *
    nortel ip phone 1150e *
    nortel ip phone 2001 *
    nortel ip phone 2002 *
    nortel ip phone 2004 *
    nortel ip phone 2007 *
    nortel wlan handset 2210 *
    nortel wlan handset 2211 *
    nortel wlan handset 2212 *
    nortel wlan handset 6120 *
    nortel wlan handset 6140 *
    nortel multimedia communication server 5100 *
    nortel multimedia communication server 5200 *