RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
- From: "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 Jan 2004 12:39:29 -0800
'cept SIP rarely works though firewalls. Which is why getting voice apps
attached to IM clients working is such a pain in the ___.
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, January 14, 2004 11:34 AM
Subject: [isalist] RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message
Vulnerabilities
> http://www.ISAserver.org
>
> Did anyone else notice the use of the term "SIP"?
> Can we say "IM apps"?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 09:42
> Subject: [isalist] RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message
Vulnerabilities
>
>
> http://www.ISAserver.org
>
> BWWWWWAAAAAAAAAAAAAA! :)
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server 2004 Beta - Coming Soon
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 14, 2004 11:38 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Fw: CERT Advisory CA-2004-01 Multiple H.323 Message
> Vulnerabilities
>
>
> http://www.ISAserver.org
>
> ..just in case you thought it was only MS products that were affected...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
>
> ----- Original Message -----
> From: "CERT Advisory" <cert-advisory@xxxxxxxx>
> To: <cert-advisory@xxxxxxxx>
> Sent: Wednesday, January 14, 2004 07:43
> Subject: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
>
> Original release date: January 13, 2004
> Last revised: --
> Source: CERT/CC, NISCC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Many software and hardware systems that implement the
> H.323
> protocol
>
> Examples include
> + Voice over Internet Protocol (VoIP) devices and software
> + Video conferencing equipment and software
> + Session Initiation Protocol (SIP) devices and software
> + Media Gateway Control Protocol (MGCP) devices and software
> + Other networking equipment that may process H.323
> traffic
> (e.g., routers and firewalls)
>
> Overview
>
> A number of vulnerabilities have been discovered in
> various
> implementations of the multimedia telephony protocol H.323. Voice
> over
> Internet Protocol (VoIP) and video conferencing equipment and
> software
> can use these protocols to communicate over a variety of
> computer
> networks.
>
> I. Description
>
> The U.K. National Infrastructure Security Co-ordination Centre
> (NISCC)
> has reported multiple vulnerabilities in different
> vendor
> implementations of the multimedia telephony protocol H.323. H.323
> is
> an international standard protocol, published by the
> International
> Telecommunications Union, used to facilitate communication
> among
> telephony and multimedia systems. Examples of such systems
> include
> VoIP, video-conferencing equipment, and network devices that
> manage
> H.323 traffic. A test suite developed by NISCC and the University
> of
> Oulu Security Programming Group (OUSPG) has exposed
> multiple
> vulnerabilities in a variety of implementations of the H.323
> protocol
> (specifically its connection setup sub-protocol H.225.0).
>
> Information about individual vendor H.323 implementations is
> available
> in the Vendor Information section below, and in the Vendor
> Information
> section of NISCC Vulnerability Advisory 006489/H323.
>
> The U.K. National Infrastructure Security Co-ordination Centre
> is
> tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC
> is
> tracking this issue as VU#749342. This reference number corresponds
> to
> CVE candidate CAN-2003-0819, as referenced in Microsoft
> Security
> Bulletin MS04-001.
>
> II. Impact
>
> Exploitation of these vulnerabilities may result in the execution
> of
> arbitrary code or cause a denial of service, which in some cases
> may
> require a system reboot.
>
> III. Solution
>
> Apply a patch or upgrade
>
> Appendix A and the Systems Affected section of Vulnerability
> Note
> VU#749342 contain information provided by vendors for this advisory
> (<http://www.kb.cert.org/vuls/id/749342#systems>).
>
> However, as vendors report new information to the CERT/CC, we
> will
> only update VU#749342. If a particular vendor is not listed, we
> have
> not received their comments. Please contact your vendor directly.
>
> Filter network traffic
>
> Sites are encouraged to apply network packet filters to block
> access
> to the H.323 services at network borders. This can minimize
> the
> potential of denial-of-service attacks originating from outside
> the
> perimeter. The specific services that should be filtered include
>
> * 1720/TCP
> * 1720/UDP
>
> If access cannot be filtered at the network perimeter, the
> CERT/CC
> recommends limiting access to only those external hosts that
> require
> H.323 for normal operation. As a general rule, filtering all types
> of
> network traffic that are not required for normal operation
> is
> recommended.
>
> It is important to note that some firewalls process H.323 packets
> and
> may themselves be vulnerable to attack. As noted in some
> vendor
> recommendations like Cisco Security Advisory 20040113-h323
> and
> Microsoft Security Bulletin MS04-001, certain sites may actually
> want
> to disable application layer inspection of H.323 network packets.
>
> Protecting your infrastructure against these vulnerabilities
> may
> require careful coordination among application, computer, network,
> and
> telephony administrators. You may have to make tradeoffs
> between
> security and functionality until vulnerable products can be updated.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for
> this
> advisory. Please see the Systems Affected section of
> Vulnerability
> Note VU#749342 and the Vendor Information section of
> NISCC
> Vulnerability Advisory 006489/H323 for the latest
> information
> regarding the response of the vendor community to this issue.
>
> 3Com
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Alcatel
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Apple Computer Inc.
>
> Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain
> the issue described in this note.
>
> AT&T
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Avaya
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Borderware
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Check Point
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> BSDI
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Cisco Systems Inc.
>
> Please see
> http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
>
> Clavister
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Computer Associates
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Cyberguard
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Debian
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> D-Link Systems
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Conectiva
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> EMC Corporation
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Engarde
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> eSoft
>
> We don't have an H.323 implementation and thus aren't affected by
> this.
>
> Extreme Networks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> F5 Networks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Foundry Networks Inc.
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> FreeBSD
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Fujitsu
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Global Technology Associates
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Hitachi
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Hewlett-Packard Company
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Ingrian Networks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Intel
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Intoto
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Juniper Networks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Lachman
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Linksys
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Lotus Software
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Lucent Technologies
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Microsoft Corporation
>
> Please see
> http://www.microsoft.com/technet/security/bulletin/MS04-001.asp
>
> MontaVista Software
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> MandrakeSoft
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Multi-Tech Systems Inc.
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> NEC Corporation
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> NetBSD
>
> NetBSD does not ship any H.323 implementations as part of the
> Operating System.
>
> There are a number of third-party implementations available in the
> pkgsrc system. As these products are found to be vulnerable, or
> updated, the packages will be updated accordingly. The
> audit-packages mechanism can be used to check for known-vulnerable
> package versions.
>
> Netfilter
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> NetScreen
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Network Appliance
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Nokia
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Nortel Networks
>
> The following Nortel Networks Generally Available products and
> solutions are potentially affected by the vulnerabilities
> identified in NISCC Vulnerability Advisory 006489/H323 and CERT
> VU#749342:
>
> Business Communications Manager (BCM) (all versions) is potentially
> affected; more information is available in Product Advisory Alert
> No. PAA 2003-0392-Global.
>
> Succession 1000 IP Trunk and IP Peer Networking, and 802.11
> Wireless IP Gateway are potentially affected; more information is
> available in Product Advisory Alert No. PAA-2003-0465-Global.
>
> For more information please contact
>
> North America: 1-800-4NORTEL or 1-800-466-7835
> Europe, Middle East and Africa: 00800 8008 9009,
> or +44 (0) 870 907 9009
>
> Contacts for other regions are available at
>
> http://www.nortelnetworks.com/help/contact/global/
>
> Or visit the eService portal at http://www.nortelnetworks.com/cs
> under Advanced Search.
>
> If you are a channel partner, more information can be found under
>
> http://www.nortelnetworks.com/pic
>
> under Advanced Search.
>
> Novell
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Objective Systems Inc.
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> OpenBSD
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Openwall GNU/*/Linux
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> RadVision
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Red Hat Inc.
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Oracle Corporation
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Riverstone Networks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Secure Computing Corporation
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> SecureWorks
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Sequent
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Sony Corporation
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Stonesoft
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Sun Microsystems Inc.
>
> Sun SNMP does not provide support for H.323, so we are not
> vulnerable. And so far we have not found any bundled products that
> are affected by this vulnerability. We are also actively
> investigating our unbundled products to see if they are affected.
> Updates will be provided to this statement as they become
> available.
>
> SuSE Inc.
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Symantec Corporation
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Unisys
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> TandBerg
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> Tumbleweed Communications Corp.
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> TurboLinux
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> uniGone
>
> Please see the NISCC Vulnerability Advisory 006489/H323 at
> http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
>
> WatchGuard
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Wirex
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Wind River Systems Inc.
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> Xerox
>
> No statement is currently available from the vendor regarding this
> vulnerability.
>
> ZyXEL
>
> No statement is currently available from the vendor regarding this
> vulnerability.
> _________________________________________________________________
>
> The CERT Coordination Center thanks the NISCC Vulnerability
> Management
> Team and the University of Oulu Security Programming Group (OUSPG)
> for
> coordinating the discovery and release of the technical details
> of
> this issue.
> _________________________________________________________________
>
> Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi
> J.
> McDowell, Shawn V. Hernan and Jason A. Rafail
>
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2004-01.html
>
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@xxxxxxxx
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
> /
> EDT(GMT-4) Monday through Friday; they are on call for
> emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by
> email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for
> more
> information.
>
> Getting security information
>
> CERT publications and other security information are available
> from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and
> bulletins,
> send email to majordomo@xxxxxxxxx Please include in the body of
> your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the
> U.S.
> Patent and Trademark Office.
>
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the
> Software
> Engineering Institute is furnished on an "as is" basis.
> Carnegie
> Mellon University makes no warranties of any kind, either expressed
> or
> implied as to any matter including, but not limited to, warranty
> of
> fitness for a particular purpose or merchantability, exclusivity
> or
> results obtained from use of the material. Carnegie Mellon
> University
> does not make any warranty of any kind with respect to freedom
> from
> patent, trademark, or copyright infringement.
>
> ______________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2004 Carnegie Mellon University.
>
> Revision History
> January 13, 2004: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT
> BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh
> AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77
> KeVgAqcfP2M=
> =p0GQ
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
