VoIP Phones - Cisco 7xxx: Difference between revisions
No edit summary |
m (clean up, typos fixed: to it's → to its) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<indicator name="VoIPConfiguring">[[File:menu-voip.svg|link=:Category:VoIP Phones|30px|Back up to the VoIP Configuring page]]</indicator> |
|||
[[file:Cisco7940.png||ALT=Cisco7940]] |
[[file:Cisco7940.png||ALT=Cisco7940]] |
||
==Phones and Versions Tested== |
==Phones and Versions Tested== |
||
{| class="wikitable" |
{| class="wikitable" |
||
| Line 14: | Line 15: | ||
|3.8.6 |
|3.8.6 |
||
| |
| |
||
| ⚫ | |||
|- |
|||
|7940G |
|||
|SIP41.8-5-4S |
|||
|Appears stable |
|||
|- |
|||
|7940G |
|||
|SIP41.9-4-2SR1-1S |
|||
|Phone runs sluggish, reboots randomly, not recommended |
|||
| ⚫ | |||
{| class="wikitable" |
{| class="wikitable" |
||
| Line 30: | Line 42: | ||
|} |
|} |
||
| ⚫ | |||
'''* Important *''' |
|||
Whilst testing SIP41.8-5-4S it appears the phone/firmware is vulnerable to a SIP/UDP amplification attack where crafted SIP 'INVITE' packets sent on UDP 5600 cause the phone to respond to its upstream SIP gateway with multiple SIP 2.0 '404' packets. Measured at a rate of approximately 20 packets/second, whilst not a major cause for concern with a single phone could potentially cause service issues where several phones are in use. |
|||
This vulnerability is protected against by correct firewall protection/filtering limiting inbound UDP on SIP port 5600 to the phone to be exclusively from |
|||
the parent SIP service (e.g. voiceless.aa.net.uk - see the VoIP security/firewall section). '''It is not recommended to leave these phones connected to the internet without any protection.''' |
|||
| ⚫ | |||
==Firewall & Security== |
|||
*You will also want to set up firewall rules, as per the [[VoIP Firewall]] page. |
|||
*Also see the [[VoIP Security]] page for information about securing your VoIP service. |
|||
[[Category:VoIP |
[[Category:VoIP Phones|Cisco 7xxx]] |
||
[[Category:VoIP Phones]] |
|||
Latest revision as of 00:00, 15 March 2017
Phones and Versions Tested
| Cisco 7xxx Versions tested | ||
|---|---|---|
| Model | Version | Notes |
| 7940 | 3.8.6 |
|
| 7940G | SIP41.8-5-4S | Appears stable
|
| 7940G | SIP41.9-4-2SR1-1S | Phone runs sluggish, reboots randomly, not recommended |
| Feature Notes | |
|---|---|
| Supports 302 Redirect | ? |
| Tested on FireBrick SIP Server | Yes |
| IPv6 Support | No |
* Important *
Whilst testing SIP41.8-5-4S it appears the phone/firmware is vulnerable to a SIP/UDP amplification attack where crafted SIP 'INVITE' packets sent on UDP 5600 cause the phone to respond to its upstream SIP gateway with multiple SIP 2.0 '404' packets. Measured at a rate of approximately 20 packets/second, whilst not a major cause for concern with a single phone could potentially cause service issues where several phones are in use.
This vulnerability is protected against by correct firewall protection/filtering limiting inbound UDP on SIP port 5600 to the phone to be exclusively from the parent SIP service (e.g. voiceless.aa.net.uk - see the VoIP security/firewall section). It is not recommended to leave these phones connected to the internet without any protection.
Configuration
Firewall & Security
- You will also want to set up firewall rules, as per the VoIP Firewall page.
- Also see the VoIP Security page for information about securing your VoIP service.