search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Voice mail systems allow administrative access based on Caller ID

Vulnerability Note VU#726548

Original Release Date: 2007-01-30 | Last Revised: 2007-03-30

Overview

Certain voice mail systems trust Calling Number Identification (CNID, Caller ID) to authenticate administrative access to voice mail accounts. Caller ID can be easily spoofed, allowing an attacker to gain control over a vulnerable voice mailbox.

Description

Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. If the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and the call is routed to the voice mailbox with administrative privileges. The party originating the call can then listen to and delete messages, modify the greeting, and perform other administrative functions. Some systems ring the phone first, others do not.

Caller ID can be readily spoofed using freely available PBX software and a H.323/VOIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication.

Depending on available product features and default configurations, voice mail service providers may or may not have the option to use Caller ID to authenticate administrative access to voice mail accounts. There are two groups represented in the Systems Affected section of this document: voice mail product/system vendors and voice mail service providers. A vendor is noted as "Not Vulnerable" if their products do not allow Caller ID to be used for authentication by default or do not allow it at all. A service provider is noted as "Not Vulnerable" if their voice mail services do not rely on Caller ID for authentication.

Impact

An attacker can gain administrative access to a voice mailbox. Depending on the system, the attacker could listen to and delete messages, change the greeting message, or make other modifications. By changing the greeting message, an attacker may be able to charge calls to an account with a vulnerable voice mail system:

<http://www.wired.com/news/infostructure/0,1377,58517,00.html>

Any system that relies solely on caller ID for authentication may be vulnerable to impersonation or spoofing attacks.

Solution

Require password authentication
If possible, configure voice mail systems to require a password/PIN to authenticate access to administrative account functions. A unique default password should be assigned to each voice mail account.

Vendor Information

726548
 
Expand all

Lucent Technologies Affected

Notified:  May 27, 2003 Updated: August 07, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc. Affected

Notified:  May 28, 2003 Updated: July 15, 2003

Status

Affected

Vendor Statement

Nortel Networks CallPilot and Meridian Mail voicemail systems do not generally authenticate by Caller ID but require a mailbox number + password to authenticate access to the mailbox. For additional security, users are forced to change the default password assigned to a newly created mailbox, the first time they logon. The only exception is where the auto logon feature is specifically configured by the administrator for a mailbox, in which case a user at the given Directory Number can access the corresponding mailbox without entering the mailbox number + password. Nortel Networks voicemail systems do not hard code or default to this behavior.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sprint Affected

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

T-Mobile Affected

Notified:  May 30, 2003 Updated: May 30, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya Not Affected

Notified:  May 28, 2003 Updated: June 24, 2003

Status

Not Affected

Vendor Statement

Avaya voicemail systems are not vulnerable to attacks that use caller ID information to authenticate administrative access to voice mailboxes.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cable and Wireless Not Affected

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mediatrix Telecom Inc Not Affected

Notified:  June 05, 2003 Updated: July 02, 2003

Status

Not Affected

Vendor Statement

Mediatrix Telecom, inc does not provide voice mail system, and is therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mitel Not Affected

Notified:  May 29, 2003 Updated: May 30, 2003

Status

Not Affected

Vendor Statement

Not vulnerable. A PIN is always required for administrative voicemail access and configuration. The default configuration requires a PIN for user mailbox access.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pingtel Not Affected

Notified:  May 28, 2003 Updated: June 05, 2003

Status

Not Affected

Vendor Statement

Pingtel's voicemail product does not presently allow administrative access via a TUI (telephony user interface) to individual voicemail accounts.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Shoreline Communication Not Affected

Notified:  May 28, 2003 Updated: June 23, 2003

Status

Not Affected

Vendor Statement

Shoreline's Voice System does not use Caller ID for authentication to Voice Mail.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Allied Telesis Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc. Unknown

Notified:  May 28, 2003 Updated: June 02, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Unknown

Notified:  May 28, 2003 Updated: June 02, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MCI Unknown

Notified:  July 30, 2003 Updated: August 08, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSwitch Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Motorola Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetIQ Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified:  May 28, 2003 Updated: May 30, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Polycom Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Qwest Unknown

Notified:  July 30, 2003 Updated: August 08, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RAD Data Communications Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SBC Unknown

Notified:  July 30, 2003 Updated: August 08, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Unknown

Notified:  June 02, 2003 Updated: June 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sphere Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

StarVox Unknown

Updated:  January 31, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 29 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Gus Bourg.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 9.22
Date Public: 2007-01-30
Date First Published: 2007-01-30
Date Last Updated: 2007-03-30 19:49 UTC
Document Revision: 29

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis