Critical flaws found in VoIP products using H.323 protocol

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,89041,00.html

Story by Jaikumar Vijayan 
JANUARY 13, 2004
COMPUTERWORLD

Several critical vulnerabilities have been discovered in voice over
Internet Protocol (VoIP) and videoconferencing products based on the
H.323 protocol that's used in IP telephony applications to exchange
audio and video communications.

VoIP products from several vendors, including Microsoft Corp., Cisco
Systems Inc. and Nortel Networks Ltd., are affected by the flaws, with
risks including denial-of-service attacks and remote system
compromise, according to an advisory from Atlanta-based Internet
Security Systems Inc. (ISS).

The flaws were discovered by the U.K.'s National Infrastructure
Security Coordination Centre using a test suite designed by the
Finland-based Oulu University Secure Programming Group (OUSPG). The
OUSPG test suite was designed to identity flaws in the H.323 protocol.

A similar test suite developed by the OUSPG led to the discovery in
2002 of several implementation specific flaws in the Simple Network
Management Protocol.

According to Neel Mehta, a security researcher at ISS's X-Force group,
the vulnerabilities are the result of coding errors in the H.323
implementations from each of the vendors.

The vulnerabilities in Cisco's Internetworking Operating System (IOS)  
software caused the biggest concern because of the widespread use of
the operating system on Internet routers, Mehta said.

According to a Cisco advisory, all of its products running IOS and
supporting H.323 packet processing are affected. "This may include the
Network Address Translation (NAT) components of Cisco devices, and
security features in Cisco devices such as Content-Based Access
Control," according to an ISS advisory.

Several other Cisco products that don't run IOS are also affected,
including Cisco CallManager Versions 3.0 through 3.3, Cisco BTS 10200
Softswitch and the Cisco 7905 IP Phone H.323 Software Version 1.00,
according to a statement from the company.

"The vulnerabilities discovered in the affected products can be easily
and repeatedly demonstrated with the use of the [test suite]" the
Cisco advisory said. It goes on to add that exploitation of the flaws
could result in denial-of-service attacks, system crashes and
performance degradation. Cisco in its statement announced several
fixes and work-around for the vulnerabilities.

In a similar advisory, Microsoft warned users of a critical
vulnerability in the H.323 filter for its Internet Security and
Acceleration Server 2000. Successful exploitation of the flaw could
allow attackers to take complete control of a compromised system, said
the Microsoft advisory.

In advising users to patch affected software immediately, Microsoft
also announced work-arounds that can block attacks. One of them is to
disable H.323 filters, thereby blocking H.323 traffic.

An advisory posted by the CERT Coordination Center at Carnegie Mellon
University in Pittsburgh listed more than 60 vendors whose products
could be affected by H.323 flaws.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.