[comm] more on H.323 bug
Ruth Milner
rmilner at aoc.nrao.edu
Thu Jan 15 10:52:50 EST 2004
SANS @RISK article. The Cisco advisory suggests that all of our
routers which support H.323, period, are vulnerable, but according
to this quote, we should be protected against external direct
attacks from the Internet at large (are there any non-NRAO IP
ranges that we accept H.323 connections from?):
If you choose to block H.323 traffic using an access list to
prevent H.323 traffic from entering the router, you will have
protected your device from the vulnerability described in this
Advisory
Ruth.
------------
(1) HIGH: Multiple Vendor H.323 Protocol Implementation Vulnerabilities
Affected: Many hardware and software products that implement the H.323
protocol, including Microsoft ISA Server 2000 and multiple Cisco
products that support H.323 (includes IOS).
Description: Multiple vulnerabilities have been reported in the H.323
protocol implementation by various vendors. Specifically, the
vulnerabilities reside in the H.225 sub-protocol which helps describe
connection setups in Voice Over IP (VOIP). The vulnerabilities were
revealed by the latest PROTOS test suite that stresses an
implementation's ability to handle malformed H.225 messages. Successful
exploitation of these vulnerabilities may cause a denial-of-service or
lead to execution of arbitrary code on the system or device supporting
the H.323 protocol. Cisco IOS versions are vulnerable to DoS attacks
due to H.323 handling issues, and a flaw in the Microsoft Internet
Security and Acceleration (ISA) server can be exploited to execute
arbitrary code with the privileges of the ISA Firewall Service. Several
other vendors are currently investigating whether their products are
affected.
Status: Cisco and Microsoft have confirmed the vulnerabilities and have
released updates. More information is available at the links below.
Council Site Actions: Most of the council sites are still researching
their vulnerability level. Many said they do not use H.323. Those sites
who already know they have vulnerable products plan to deploy the
patches as soon as possible for Internet-facing systems, and during
normal system update processes for internal systems. One site commented
that they tightly control H.323 at their gateways which affords them
some level of protection.
References:
Microsoft Advisory
http://www.microsoft.com/technet/security/bulletin/ms04-001.asp
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
UK National Infrastructure Security Coordination Centre Advisory
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
CERT Advisory
http://www.cert.org/advisories/CA-2004-01.html
PROTOS Project Home Page
http://www.ee.oulu.fi/research/ouspg/protos/
SecurityFocus BID
http://www.securityfocus.com/bid/9406
More information about the Comm
mailing list