From rmilner at aoc.nrao.edu  Thu Jan 15 10:52:50 2004
From: rmilner at aoc.nrao.edu (Ruth Milner)
Date: Thu, 15 Jan 2004 08:52:50 -0700
Subject: [comm] more on H.323 bug
Message-ID: <4006B752.8060805@aoc.nrao.edu>

SANS @RISK article. The Cisco advisory suggests that all of our
routers which support H.323, period, are vulnerable, but according
to this quote, we should be protected against external direct
attacks from the Internet at large (are there any non-NRAO IP
ranges that we accept H.323 connections from?):

   If you choose to block H.323 traffic using an access list to
   prevent H.323 traffic from entering the router, you will have
   protected your device from the vulnerability described in this
   Advisory

Ruth.
------------

(1) HIGH: Multiple Vendor H.323 Protocol Implementation Vulnerabilities
Affected: Many hardware and software products that implement the H.323
protocol, including Microsoft ISA Server 2000 and multiple Cisco
products that support H.323 (includes IOS).

Description: Multiple vulnerabilities have been reported in the H.323
protocol implementation by various vendors. Specifically, the
vulnerabilities reside in the H.225 sub-protocol which helps describe
connection setups in Voice Over IP (VOIP). The vulnerabilities were
revealed by the latest PROTOS test suite that stresses an
implementation's ability to handle malformed H.225 messages. Successful
exploitation of these vulnerabilities may cause a denial-of-service or
lead to execution of arbitrary code on the system or device supporting
the H.323 protocol. Cisco IOS versions are vulnerable to DoS attacks
due to H.323 handling issues, and a flaw in the Microsoft Internet
Security and Acceleration (ISA) server can be exploited to execute
arbitrary code with the privileges of the ISA Firewall Service. Several
other vendors are currently investigating whether their products are
affected.

Status: Cisco and Microsoft have confirmed the vulnerabilities and have
released updates. More information is available at the links below.

Council Site Actions: Most of the council sites are still researching
their vulnerability level. Many said they do not use H.323. Those sites
who already know they have vulnerable products plan to deploy the
patches as soon as possible for Internet-facing systems, and during
normal system update processes for internal systems. One site commented
that they tightly control H.323 at their gateways which affords them
some level of protection.

References:
Microsoft Advisory
   http://www.microsoft.com/technet/security/bulletin/ms04-001.asp
Cisco Advisory
   http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
UK National Infrastructure Security Coordination Centre Advisory
   http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
CERT Advisory
    http://www.cert.org/advisories/CA-2004-01.html
PROTOS Project Home Page
    http://www.ee.oulu.fi/research/ouspg/protos/
SecurityFocus BID
http://www.securityfocus.com/bid/9406