[ISN] Critical flaws found in VoIP products using H.323 protocol

From: InfoSec News (isn@private)
Date: Wed Jan 14 2004 - 03:55:34 PST

  • Next message: InfoSec News: "[ISN] Park Police Bomb Their Terrorism Test"

    http://www.computerworld.com/securitytopics/security/story/0,10801,89041,00.html
    
    Story by Jaikumar Vijayan 
    JANUARY 13, 2004
    COMPUTERWORLD
    
    Several critical vulnerabilities have been discovered in voice over
    Internet Protocol (VoIP) and videoconferencing products based on the
    H.323 protocol that's used in IP telephony applications to exchange
    audio and video communications.
    
    VoIP products from several vendors, including Microsoft Corp., Cisco
    Systems Inc. and Nortel Networks Ltd., are affected by the flaws, with
    risks including denial-of-service attacks and remote system
    compromise, according to an advisory from Atlanta-based Internet
    Security Systems Inc. (ISS).
    
    The flaws were discovered by the U.K.'s National Infrastructure
    Security Coordination Centre using a test suite designed by the
    Finland-based Oulu University Secure Programming Group (OUSPG). The
    OUSPG test suite was designed to identity flaws in the H.323 protocol.
    
    A similar test suite developed by the OUSPG led to the discovery in
    2002 of several implementation specific flaws in the Simple Network
    Management Protocol.
    
    According to Neel Mehta, a security researcher at ISS's X-Force group,
    the vulnerabilities are the result of coding errors in the H.323
    implementations from each of the vendors.
    
    The vulnerabilities in Cisco's Internetworking Operating System (IOS)  
    software caused the biggest concern because of the widespread use of
    the operating system on Internet routers, Mehta said.
    
    According to a Cisco advisory, all of its products running IOS and
    supporting H.323 packet processing are affected. "This may include the
    Network Address Translation (NAT) components of Cisco devices, and
    security features in Cisco devices such as Content-Based Access
    Control," according to an ISS advisory.
    
    Several other Cisco products that don't run IOS are also affected,
    including Cisco CallManager Versions 3.0 through 3.3, Cisco BTS 10200
    Softswitch and the Cisco 7905 IP Phone H.323 Software Version 1.00,
    according to a statement from the company.
    
    "The vulnerabilities discovered in the affected products can be easily
    and repeatedly demonstrated with the use of the [test suite]" the
    Cisco advisory said. It goes on to add that exploitation of the flaws
    could result in denial-of-service attacks, system crashes and
    performance degradation. Cisco in its statement announced several
    fixes and work-around for the vulnerabilities.
    
    In a similar advisory, Microsoft warned users of a critical
    vulnerability in the H.323 filter for its Internet Security and
    Acceleration Server 2000. Successful exploitation of the flaw could
    allow attackers to take complete control of a compromised system, said
    the Microsoft advisory.
    
    In advising users to patch affected software immediately, Microsoft
    also announced work-arounds that can block attacks. One of them is to
    disable H.323 filters, thereby blocking H.323 traffic.
    
    An advisory posted by the CERT Coordination Center at Carnegie Mellon
    University in Pittsburgh listed more than 60 vendors whose products
    could be affected by H.323 flaws.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 14 2004 - 06:42:46 PST