Overview
Certain voice mail systems trust Calling Number Identification (CNID, Caller ID) to authenticate administrative access to voice mail accounts. Caller ID can be easily spoofed, allowing an attacker to gain control over a vulnerable voice mailbox.
Description
Some voice mail systems use Caller ID to authenticate administrative access to individual voice mail accounts. If the Caller ID of an inbound call matches the number assigned to the telephone associated with the voice mailbox, the system assumes that the call is originating from that phone, and the call is routed to the voice mailbox with administrative privileges. The party originating the call can then listen to and delete messages, modify the greeting, and perform other administrative functions. Some systems ring the phone first, others do not. Caller ID can be readily spoofed using freely available PBX software and a H.323/VOIP gateway service, and possibly via other methods. Caller ID should not be trusted for authentication. |
Impact
An attacker can gain administrative access to a voice mailbox. Depending on the system, the attacker could listen to and delete messages, change the greeting message, or make other modifications. By changing the greeting message, an attacker may be able to charge calls to an account with a vulnerable voice mail system: |
Solution
Require password authentication |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Gus Bourg.
This document was written by Art Manion.
Other Information
| CVE IDs: | None |
| Severity Metric: | 9.22 |
| Date Public: | 2007-01-30 |
| Date First Published: | 2007-01-30 |
| Date Last Updated: | 2007-03-30 19:49 UTC |
| Document Revision: | 29 |