The HIPS tool the PAL team used provides an open interface so a custom rule to precisely shield the SipXtapi vulnerability could be built.
This ability to develop home grown rules can come in handy, especially considering the possibility that the government may know a vulnerability before it is published, so their ability to build shields without relying on an industrial partner may be important at some point. This way open systems are much preferred to a "black box" IPS approach where you are never sure if you are protected or not. (There are many approaches for HIPS systems, with some being learning, or behaviour-based. The idea is to learn normal, and then stop something that looks abnormal. The problem is that these approaches have no vulnerability signature update mechanism, and they are not designed to offer protection from exploits on known vulnerabilities).
After reviewing the vulnerability and exploit example, it only took a few minutes to have a filter ready to test. The nature of the buffer overflow is when the command sequence parameter "CSeq" SIP header field is larger than 24 bytes. The filter just drops malformed messages which exceed this length and violates correct protocol syntax. The resulting filter XML rule code is only 4 lines and is almost readable in English:
<rule pat="INVITE " state="0" case="1"> stateset 1 </rule> <rule pat="CSeq:" state="1"> startcount 24 </rule> <counter> drop "sipXtapi CSeq overflow" </counter> <rule pat="\n">clrcount </rule>
The team tested this filter on systems and subjected them to attacks. In all cases, the filter worked and shielded the system. The HIPS product also provided an important logging function, so security administrators will know when systems are being attacked and they can take further action such as identifying the IP address of the attacker. The team also noted that the logging feature helps security administrators justify the value in acquiring such a tool, which is important and can be overlooked initially.
Conclusion
The PAL team will continue to have lots to do, especially as it expands coverage into next-generation networking technologies. Software vulnerabilities are here to stay, and as systems become more complex it only means the discovery rate of vulnerabilities will continue to climb. Combine that with use of new applications such as VoIP and SIP protocols, and the opportunity for hackers to cause much damage increases again.
While the ultimate answer is to have perfect software with zero vulnerabilities, that does not appear even remotely thinkable. Patching cannot keep up with attacks, and standard tools such as anti-virus and anti-spyware are not sufficient anymore. Intrusion prevention is now required as another layer of defence, and the PAL team's experience has shown that a host-based IPS system providing for vulnerability-facing signature updates is an effective approach that should be investigated for application in VoIP environments. Mitigating current and future vulnerabilities allows you to use VoIP in confidence, such that once deployed, you stay secure even as new vulnerabilities are discovered.
icon.
