RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 Jan 2004 11:42:27 -0600
BWWWWWAAAAAAAAAAAAAA! :)
Thomas W Shinder
www.isaserver.org/shinder
ISA Server 2004 Beta - Coming Soon
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, January 14, 2004 11:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Fw: CERT Advisory CA-2004-01 Multiple H.323 Message
Vulnerabilities
http://www.ISAserver.org
..just in case you thought it was only MS products that were affected...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "CERT Advisory" <cert-advisory@xxxxxxxx>
To: <cert-advisory@xxxxxxxx>
Sent: Wednesday, January 14, 2004 07:43
Subject: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
Original release date: January 13, 2004
Last revised: --
Source: CERT/CC, NISCC
A complete revision history can be found at the end of this file.
Systems Affected
* Many software and hardware systems that implement the
H.323
protocol
Examples include
+ Voice over Internet Protocol (VoIP) devices and software
+ Video conferencing equipment and software
+ Session Initiation Protocol (SIP) devices and software
+ Media Gateway Control Protocol (MGCP) devices and software
+ Other networking equipment that may process H.323
traffic
(e.g., routers and firewalls)
Overview
A number of vulnerabilities have been discovered in
various
implementations of the multimedia telephony protocol H.323. Voice
over
Internet Protocol (VoIP) and video conferencing equipment and
software
can use these protocols to communicate over a variety of
computer
networks.
I. Description
The U.K. National Infrastructure Security Co-ordination Centre
(NISCC)
has reported multiple vulnerabilities in different
vendor
implementations of the multimedia telephony protocol H.323. H.323
is
an international standard protocol, published by the
International
Telecommunications Union, used to facilitate communication
among
telephony and multimedia systems. Examples of such systems
include
VoIP, video-conferencing equipment, and network devices that
manage
H.323 traffic. A test suite developed by NISCC and the University
of
Oulu Security Programming Group (OUSPG) has exposed
multiple
vulnerabilities in a variety of implementations of the H.323
protocol
(specifically its connection setup sub-protocol H.225.0).
Information about individual vendor H.323 implementations is
available
in the Vendor Information section below, and in the Vendor
Information
section of NISCC Vulnerability Advisory 006489/H323.
The U.K. National Infrastructure Security Co-ordination Centre
is
tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC
is
tracking this issue as VU#749342. This reference number corresponds
to
CVE candidate CAN-2003-0819, as referenced in Microsoft
Security
Bulletin MS04-001.
II. Impact
Exploitation of these vulnerabilities may result in the execution
of
arbitrary code or cause a denial of service, which in some cases
may
require a system reboot.
III. Solution
Apply a patch or upgrade
Appendix A and the Systems Affected section of Vulnerability
Note
VU#749342 contain information provided by vendors for this advisory
(<http://www.kb.cert.org/vuls/id/749342#systems>).
However, as vendors report new information to the CERT/CC, we
will
only update VU#749342. If a particular vendor is not listed, we
have
not received their comments. Please contact your vendor directly.
Filter network traffic
Sites are encouraged to apply network packet filters to block
access
to the H.323 services at network borders. This can minimize
the
potential of denial-of-service attacks originating from outside
the
perimeter. The specific services that should be filtered include
* 1720/TCP
* 1720/UDP
If access cannot be filtered at the network perimeter, the
CERT/CC
recommends limiting access to only those external hosts that
require
H.323 for normal operation. As a general rule, filtering all types
of
network traffic that are not required for normal operation
is
recommended.
It is important to note that some firewalls process H.323 packets
and
may themselves be vulnerable to attack. As noted in some
vendor
recommendations like Cisco Security Advisory 20040113-h323
and
Microsoft Security Bulletin MS04-001, certain sites may actually
want
to disable application layer inspection of H.323 network packets.
Protecting your infrastructure against these vulnerabilities
may
require careful coordination among application, computer, network,
and
telephony administrators. You may have to make tradeoffs
between
security and functionality until vulnerable products can be updated.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for
this
advisory. Please see the Systems Affected section of
Vulnerability
Note VU#749342 and the Vendor Information section of
NISCC
Vulnerability Advisory 006489/H323 for the latest
information
regarding the response of the vendor community to this issue.
3Com
No statement is currently available from the vendor regarding this
vulnerability.
Alcatel
No statement is currently available from the vendor regarding this
vulnerability.
Apple Computer Inc.
Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain
the issue described in this note.
AT&T
No statement is currently available from the vendor regarding this
vulnerability.
Avaya
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Borderware
No statement is currently available from the vendor regarding this
vulnerability.
Check Point
No statement is currently available from the vendor regarding this
vulnerability.
BSDI
No statement is currently available from the vendor regarding this
vulnerability.
Cisco Systems Inc.
Please see
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
Clavister
No statement is currently available from the vendor regarding this
vulnerability.
Computer Associates
No statement is currently available from the vendor regarding this
vulnerability.
Cyberguard
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Debian
No statement is currently available from the vendor regarding this
vulnerability.
D-Link Systems
No statement is currently available from the vendor regarding this
vulnerability.
Conectiva
No statement is currently available from the vendor regarding this
vulnerability.
EMC Corporation
No statement is currently available from the vendor regarding this
vulnerability.
Engarde
No statement is currently available from the vendor regarding this
vulnerability.
eSoft
We don't have an H.323 implementation and thus aren't affected by
this.
Extreme Networks
No statement is currently available from the vendor regarding this
vulnerability.
F5 Networks
No statement is currently available from the vendor regarding this
vulnerability.
Foundry Networks Inc.
No statement is currently available from the vendor regarding this
vulnerability.
FreeBSD
No statement is currently available from the vendor regarding this
vulnerability.
Fujitsu
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Global Technology Associates
No statement is currently available from the vendor regarding this
vulnerability.
Hitachi
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Hewlett-Packard Company
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Ingrian Networks
No statement is currently available from the vendor regarding this
vulnerability.
Intel
No statement is currently available from the vendor regarding this
vulnerability.
Intoto
No statement is currently available from the vendor regarding this
vulnerability.
Juniper Networks
No statement is currently available from the vendor regarding this
vulnerability.
Lachman
No statement is currently available from the vendor regarding this
vulnerability.
Linksys
No statement is currently available from the vendor regarding this
vulnerability.
Lotus Software
No statement is currently available from the vendor regarding this
vulnerability.
Lucent Technologies
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Microsoft Corporation
Please see
http://www.microsoft.com/technet/security/bulletin/MS04-001.asp
MontaVista Software
No statement is currently available from the vendor regarding this
vulnerability.
MandrakeSoft
No statement is currently available from the vendor regarding this
vulnerability.
Multi-Tech Systems Inc.
No statement is currently available from the vendor regarding this
vulnerability.
NEC Corporation
No statement is currently available from the vendor regarding this
vulnerability.
NetBSD
NetBSD does not ship any H.323 implementations as part of the
Operating System.
There are a number of third-party implementations available in the
pkgsrc system. As these products are found to be vulnerable, or
updated, the packages will be updated accordingly. The
audit-packages mechanism can be used to check for known-vulnerable
package versions.
Netfilter
No statement is currently available from the vendor regarding this
vulnerability.
NetScreen
No statement is currently available from the vendor regarding this
vulnerability.
Network Appliance
No statement is currently available from the vendor regarding this
vulnerability.
Nokia
No statement is currently available from the vendor regarding this
vulnerability.
Nortel Networks
The following Nortel Networks Generally Available products and
solutions are potentially affected by the vulnerabilities
identified in NISCC Vulnerability Advisory 006489/H323 and CERT
VU#749342:
Business Communications Manager (BCM) (all versions) is potentially
affected; more information is available in Product Advisory Alert
No. PAA 2003-0392-Global.
Succession 1000 IP Trunk and IP Peer Networking, and 802.11
Wireless IP Gateway are potentially affected; more information is
available in Product Advisory Alert No. PAA-2003-0465-Global.
For more information please contact
North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009,
or +44 (0) 870 907 9009
Contacts for other regions are available at
http://www.nortelnetworks.com/help/contact/global/
Or visit the eService portal at http://www.nortelnetworks.com/cs
under Advanced Search.
If you are a channel partner, more information can be found under
http://www.nortelnetworks.com/pic
under Advanced Search.
Novell
No statement is currently available from the vendor regarding this
vulnerability.
Objective Systems Inc.
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
OpenBSD
No statement is currently available from the vendor regarding this
vulnerability.
Openwall GNU/*/Linux
No statement is currently available from the vendor regarding this
vulnerability.
RadVision
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Red Hat Inc.
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Oracle Corporation
No statement is currently available from the vendor regarding this
vulnerability.
Riverstone Networks
No statement is currently available from the vendor regarding this
vulnerability.
Secure Computing Corporation
No statement is currently available from the vendor regarding this
vulnerability.
SecureWorks
No statement is currently available from the vendor regarding this
vulnerability.
Sequent
No statement is currently available from the vendor regarding this
vulnerability.
Sony Corporation
No statement is currently available from the vendor regarding this
vulnerability.
Stonesoft
No statement is currently available from the vendor regarding this
vulnerability.
Sun Microsystems Inc.
Sun SNMP does not provide support for H.323, so we are not
vulnerable. And so far we have not found any bundled products that
are affected by this vulnerability. We are also actively
investigating our unbundled products to see if they are affected.
Updates will be provided to this statement as they become
available.
SuSE Inc.
No statement is currently available from the vendor regarding this
vulnerability.
Symantec Corporation
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Unisys
No statement is currently available from the vendor regarding this
vulnerability.
TandBerg
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Tumbleweed Communications Corp.
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
TurboLinux
No statement is currently available from the vendor regarding this
vulnerability.
uniGone
Please see the NISCC Vulnerability Advisory 006489/H323 at
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
WatchGuard
No statement is currently available from the vendor regarding this
vulnerability.
Wirex
No statement is currently available from the vendor regarding this
vulnerability.
Wind River Systems Inc.
No statement is currently available from the vendor regarding this
vulnerability.
Xerox
No statement is currently available from the vendor regarding this
vulnerability.
ZyXEL
No statement is currently available from the vendor regarding this
vulnerability.
_________________________________________________________________
The CERT Coordination Center thanks the NISCC Vulnerability
Management
Team and the University of Oulu Security Programming Group (OUSPG)
for
coordinating the discovery and release of the technical details
of
this issue.
_________________________________________________________________
Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi
J.
McDowell, Shawn V. Hernan and Jason A. Rafail
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2004-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@xxxxxxxx
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
/
EDT(GMT-4) Monday through Friday; they are on call for
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are available
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to majordomo@xxxxxxxxx Please include in the body of
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis.
Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty
of
fitness for a particular purpose or merchantability, exclusivity
or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to freedom
from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2004 Carnegie Mellon University.
Revision History
January 13, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT
BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh
AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77
KeVgAqcfP2M=
=p0GQ
-----END PGP SIGNATURE-----
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
