'cept SIP rarely works though firewalls. Which is why getting voice apps attached to IM clients working is such a pain in the ___. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 14, 2004 11:34 AM Subject: [isalist] RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities > http://www.ISAserver.org > > Did anyone else notice the use of the term "SIP"? > Can we say "IM apps"? > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 09:42 > Subject: [isalist] RE: Fw: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities > > > http://www.ISAserver.org > > BWWWWWAAAAAAAAAAAAAA! :) > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server 2004 Beta - Coming Soon > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, January 14, 2004 11:38 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Fw: CERT Advisory CA-2004-01 Multiple H.323 Message > Vulnerabilities > > > http://www.ISAserver.org > > ..just in case you thought it was only MS products that were affected... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > > ----- Original Message ----- > From: "CERT Advisory" <cert-advisory@xxxxxxxx> > To: <cert-advisory@xxxxxxxx> > Sent: Wednesday, January 14, 2004 07:43 > Subject: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities > > Original release date: January 13, 2004 > Last revised: -- > Source: CERT/CC, NISCC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Many software and hardware systems that implement the > H.323 > protocol > > Examples include > + Voice over Internet Protocol (VoIP) devices and software > + Video conferencing equipment and software > + Session Initiation Protocol (SIP) devices and software > + Media Gateway Control Protocol (MGCP) devices and software > + Other networking equipment that may process H.323 > traffic > (e.g., routers and firewalls) > > Overview > > A number of vulnerabilities have been discovered in > various > implementations of the multimedia telephony protocol H.323. Voice > over > Internet Protocol (VoIP) and video conferencing equipment and > software > can use these protocols to communicate over a variety of > computer > networks. > > I. Description > > The U.K. National Infrastructure Security Co-ordination Centre > (NISCC) > has reported multiple vulnerabilities in different > vendor > implementations of the multimedia telephony protocol H.323. H.323 > is > an international standard protocol, published by the > International > Telecommunications Union, used to facilitate communication > among > telephony and multimedia systems. Examples of such systems > include > VoIP, video-conferencing equipment, and network devices that > manage > H.323 traffic. A test suite developed by NISCC and the University > of > Oulu Security Programming Group (OUSPG) has exposed > multiple > vulnerabilities in a variety of implementations of the H.323 > protocol > (specifically its connection setup sub-protocol H.225.0). > > Information about individual vendor H.323 implementations is > available > in the Vendor Information section below, and in the Vendor > Information > section of NISCC Vulnerability Advisory 006489/H323. > > The U.K. National Infrastructure Security Co-ordination Centre > is > tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC > is > tracking this issue as VU#749342. This reference number corresponds > to > CVE candidate CAN-2003-0819, as referenced in Microsoft > Security > Bulletin MS04-001. > > II. Impact > > Exploitation of these vulnerabilities may result in the execution > of > arbitrary code or cause a denial of service, which in some cases > may > require a system reboot. > > III. Solution > > Apply a patch or upgrade > > Appendix A and the Systems Affected section of Vulnerability > Note > VU#749342 contain information provided by vendors for this advisory > (<http://www.kb.cert.org/vuls/id/749342#systems>). > > However, as vendors report new information to the CERT/CC, we > will > only update VU#749342. If a particular vendor is not listed, we > have > not received their comments. Please contact your vendor directly. > > Filter network traffic > > Sites are encouraged to apply network packet filters to block > access > to the H.323 services at network borders. This can minimize > the > potential of denial-of-service attacks originating from outside > the > perimeter. The specific services that should be filtered include > > * 1720/TCP > * 1720/UDP > > If access cannot be filtered at the network perimeter, the > CERT/CC > recommends limiting access to only those external hosts that > require > H.323 for normal operation. As a general rule, filtering all types > of > network traffic that are not required for normal operation > is > recommended. > > It is important to note that some firewalls process H.323 packets > and > may themselves be vulnerable to attack. As noted in some > vendor > recommendations like Cisco Security Advisory 20040113-h323 > and > Microsoft Security Bulletin MS04-001, certain sites may actually > want > to disable application layer inspection of H.323 network packets. > > Protecting your infrastructure against these vulnerabilities > may > require careful coordination among application, computer, network, > and > telephony administrators. You may have to make tradeoffs > between > security and functionality until vulnerable products can be updated. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for > this > advisory. Please see the Systems Affected section of > Vulnerability > Note VU#749342 and the Vendor Information section of > NISCC > Vulnerability Advisory 006489/H323 for the latest > information > regarding the response of the vendor community to this issue. > > 3Com > > No statement is currently available from the vendor regarding this > vulnerability. > > Alcatel > > No statement is currently available from the vendor regarding this > vulnerability. > > Apple Computer Inc. > > Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain > the issue described in this note. > > AT&T > > No statement is currently available from the vendor regarding this > vulnerability. > > Avaya > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Borderware > > No statement is currently available from the vendor regarding this > vulnerability. > > Check Point > > No statement is currently available from the vendor regarding this > vulnerability. > > BSDI > > No statement is currently available from the vendor regarding this > vulnerability. > > Cisco Systems Inc. > > Please see > http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml > > Clavister > > No statement is currently available from the vendor regarding this > vulnerability. > > Computer Associates > > No statement is currently available from the vendor regarding this > vulnerability. > > Cyberguard > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Debian > > No statement is currently available from the vendor regarding this > vulnerability. > > D-Link Systems > > No statement is currently available from the vendor regarding this > vulnerability. > > Conectiva > > No statement is currently available from the vendor regarding this > vulnerability. > > EMC Corporation > > No statement is currently available from the vendor regarding this > vulnerability. > > Engarde > > No statement is currently available from the vendor regarding this > vulnerability. > > eSoft > > We don't have an H.323 implementation and thus aren't affected by > this. > > Extreme Networks > > No statement is currently available from the vendor regarding this > vulnerability. > > F5 Networks > > No statement is currently available from the vendor regarding this > vulnerability. > > Foundry Networks Inc. > > No statement is currently available from the vendor regarding this > vulnerability. > > FreeBSD > > No statement is currently available from the vendor regarding this > vulnerability. > > Fujitsu > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Global Technology Associates > > No statement is currently available from the vendor regarding this > vulnerability. > > Hitachi > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Hewlett-Packard Company > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Ingrian Networks > > No statement is currently available from the vendor regarding this > vulnerability. > > Intel > > No statement is currently available from the vendor regarding this > vulnerability. > > Intoto > > No statement is currently available from the vendor regarding this > vulnerability. > > Juniper Networks > > No statement is currently available from the vendor regarding this > vulnerability. > > Lachman > > No statement is currently available from the vendor regarding this > vulnerability. > > Linksys > > No statement is currently available from the vendor regarding this > vulnerability. > > Lotus Software > > No statement is currently available from the vendor regarding this > vulnerability. > > Lucent Technologies > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Microsoft Corporation > > Please see > http://www.microsoft.com/technet/security/bulletin/MS04-001.asp > > MontaVista Software > > No statement is currently available from the vendor regarding this > vulnerability. > > MandrakeSoft > > No statement is currently available from the vendor regarding this > vulnerability. > > Multi-Tech Systems Inc. > > No statement is currently available from the vendor regarding this > vulnerability. > > NEC Corporation > > No statement is currently available from the vendor regarding this > vulnerability. > > NetBSD > > NetBSD does not ship any H.323 implementations as part of the > Operating System. > > There are a number of third-party implementations available in the > pkgsrc system. As these products are found to be vulnerable, or > updated, the packages will be updated accordingly. The > audit-packages mechanism can be used to check for known-vulnerable > package versions. > > Netfilter > > No statement is currently available from the vendor regarding this > vulnerability. > > NetScreen > > No statement is currently available from the vendor regarding this > vulnerability. > > Network Appliance > > No statement is currently available from the vendor regarding this > vulnerability. > > Nokia > > No statement is currently available from the vendor regarding this > vulnerability. > > Nortel Networks > > The following Nortel Networks Generally Available products and > solutions are potentially affected by the vulnerabilities > identified in NISCC Vulnerability Advisory 006489/H323 and CERT > VU#749342: > > Business Communications Manager (BCM) (all versions) is potentially > affected; more information is available in Product Advisory Alert > No. PAA 2003-0392-Global. > > Succession 1000 IP Trunk and IP Peer Networking, and 802.11 > Wireless IP Gateway are potentially affected; more information is > available in Product Advisory Alert No. PAA-2003-0465-Global. > > For more information please contact > > North America: 1-800-4NORTEL or 1-800-466-7835 > Europe, Middle East and Africa: 00800 8008 9009, > or +44 (0) 870 907 9009 > > Contacts for other regions are available at > > http://www.nortelnetworks.com/help/contact/global/ > > Or visit the eService portal at http://www.nortelnetworks.com/cs > under Advanced Search. > > If you are a channel partner, more information can be found under > > http://www.nortelnetworks.com/pic > > under Advanced Search. > > Novell > > No statement is currently available from the vendor regarding this > vulnerability. > > Objective Systems Inc. > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > OpenBSD > > No statement is currently available from the vendor regarding this > vulnerability. > > Openwall GNU/*/Linux > > No statement is currently available from the vendor regarding this > vulnerability. > > RadVision > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Red Hat Inc. > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Oracle Corporation > > No statement is currently available from the vendor regarding this > vulnerability. > > Riverstone Networks > > No statement is currently available from the vendor regarding this > vulnerability. > > Secure Computing Corporation > > No statement is currently available from the vendor regarding this > vulnerability. > > SecureWorks > > No statement is currently available from the vendor regarding this > vulnerability. > > Sequent > > No statement is currently available from the vendor regarding this > vulnerability. > > Sony Corporation > > No statement is currently available from the vendor regarding this > vulnerability. > > Stonesoft > > No statement is currently available from the vendor regarding this > vulnerability. > > Sun Microsystems Inc. > > Sun SNMP does not provide support for H.323, so we are not > vulnerable. And so far we have not found any bundled products that > are affected by this vulnerability. We are also actively > investigating our unbundled products to see if they are affected. > Updates will be provided to this statement as they become > available. > > SuSE Inc. > > No statement is currently available from the vendor regarding this > vulnerability. > > Symantec Corporation > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Unisys > > No statement is currently available from the vendor regarding this > vulnerability. > > TandBerg > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > Tumbleweed Communications Corp. > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > TurboLinux > > No statement is currently available from the vendor regarding this > vulnerability. > > uniGone > > Please see the NISCC Vulnerability Advisory 006489/H323 at > http://www.uniras.gov.uk/vuls/2004/006489/h323.htm > > WatchGuard > > No statement is currently available from the vendor regarding this > vulnerability. > > Wirex > > No statement is currently available from the vendor regarding this > vulnerability. > > Wind River Systems Inc. > > No statement is currently available from the vendor regarding this > vulnerability. > > Xerox > > No statement is currently available from the vendor regarding this > vulnerability. > > ZyXEL > > No statement is currently available from the vendor regarding this > vulnerability. > _________________________________________________________________ > > The CERT Coordination Center thanks the NISCC Vulnerability > Management > Team and the University of Oulu Security Programming Group (OUSPG) > for > coordinating the discovery and release of the technical details > of > this issue. > _________________________________________________________________ > > Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi > J. > McDowell, Shawn V. Hernan and Jason A. Rafail > > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2004-01.html > > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@xxxxxxxx > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) > / > EDT(GMT-4) Monday through Friday; they are on call for > emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by > email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for > more > information. > > Getting security information > > CERT publications and other security information are available > from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and > bulletins, > send email to majordomo@xxxxxxxxx Please include in the body of > your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the > U.S. > Patent and Trademark Office. > > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the > Software > Engineering Institute is furnished on an "as is" basis. > Carnegie > Mellon University makes no warranties of any kind, either expressed > or > implied as to any matter including, but not limited to, warranty > of > fitness for a particular purpose or merchantability, exclusivity > or > results obtained from use of the material. Carnegie Mellon > University > does not make any warranty of any kind with respect to freedom > from > patent, trademark, or copyright infringement. > > ______________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2004 Carnegie Mellon University. > > Revision History > January 13, 2004: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT > BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh > AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77 > KeVgAqcfP2M= > =p0GQ > -----END PGP SIGNATURE----- > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: rdzek@xxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')