Published:
13 January 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0029 -- NISCC Vulnerability Advisory 006489/H323
Vulnerability Issues in Implementations of the H.323 Protocol
14 January 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: H.323 Protocol
Publisher: NISCC
Impact: Denial of Service
Execute Arbitrary Code/Commands
Access Required: Remote
Comment: H.323 is a protocol that supports inter-operability between
vendor implementations of telephony and multimedia products across IP
based networks. Vulnerable devices include network components such as
firewalls, routers and proxies that support VoIP and videoconferencing.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) ALERT - 01/04 dated 13.01.04 Time: 12:00
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
NISCC Vulnerability Advisory 006489/H323
Detail
======
Vulnerability Issues in Implementations of the H.323 Protocol
Version Information
- - -------------------
Advisory Reference 006489/H323
Release Date 13 January 2004
Last Revision 13 January 2004
Version Number 1.1
What is affected?
- - -----------------
The vulnerabilities described in this advisory affect the network protocol
H.323. Many vendors include support for this protocol in their products
and may be impacted to varying degrees, if at all. The web page detailing
this vulnerability includes any vendor specific information that is
available to us.
Please see http://www.uniras.gov.uk/vuls/2004/006489/h323.htm for further
information.
Severity
- - --------
The severity of these vulnerabilities varies by vendor. Please see the
vendor section below for further information. Alternatively contact your
vendor for product specific information.
If exploited, these vulnerabilities could allow an attacker to create a
Denial of Service condition. There are indications that it may be possible
for an attacker to execute code as a result of a buffer overflow.
Summary
- - -------
During 2002 the University of Oulu Security Programming Group (OUSPG)
discovered a number of implementation specific vulnerabilities in the
Simple Network Management Protocol (SNMP). Subsequent to this discovery,
NISCC has performed and commissioned further work on identifying
implementation specific vulnerabilities in related protocols that are
critical to the UK Critical National Infrastructure. One of these
protocols is H.225 which is part of the H.323 family and commonly
implemented as a component of multimedia applications such as
Voice Over IP.
OUSPG has produced a test suite for H.225 and employed it to validate their
findings against a number of products from different vendors. The test
results have been confirmed by testing performed by NISCC and the affected
vendors contacted with the test results. These vendors' product lines
cover a great deal of the existing critical information infrastructure
worldwide and have therefore been addressed as a priority. However, NISCC
has subsequently contacted other vendors whose products employ H.323 and
provided them with tools with which to test these implementations.
All users of network and multimedia equipment are recommended to take note
of this advisory and carry out any remedial actions suggested by their
vendor(s).
This advisory can be viewed on-line at:
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
[Please note that revisions to this advisory will not be notified by email.
All subscribers are advised to regularly check the URL above for updates to
this notice.]
Details
- - -------
H.323 is an international standard protocol, published by the International
Telecommunications Union, that supports inter-operability between vendor
implementations of telephony and multimedia products across IP based
networks. As such it is often supported on network perimeter and
multimedia hardware such as video-conferencing equipment. The specific
sub-component that has been tested, H.225, deals with the set-up of
connections between H.323 devices.
Further detail will be released as it becomes available.
Solution
- - --------
Please refer to the Vendor Information section of this advisory for
platform specific remediation.
Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently
available. Please visit the web site in order to check for updates.
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line
Telephone +44 (0) 20 7821 1330 Ext 4511
Monday - Friday 08:30 - 17:00
Fax +44 (0) 20 7821 1686
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP
key. This is available from http://www.uniras.gov.uk/UNIRAS.asc
Please note that UK government protectively marked material should not be
sent to the email address above.
If you wish to be added to our email distribution list please email your
request to uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security
Co-ordination Centre, please visit
http://www.niscc.gov.uk/aboutniscc/index.htm.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by NISCC. The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the
usage of information contained within this notice.
© 2004 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts
- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of OUSPG for the information
contained in this Briefing.
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQAPa0Ipao72zK539AQENnAP9Ff3GtyOtiUtriuGBXQA9YIMdJyjYBO+X
oCU7Q+DGK5mwJennTlb3ftowBX5NHZVzKn2UuoI/H2gHRkYEtiwAuQx6srrSD7cg
rg/NFoA8ug5cIf0Q6q7WsYtaJVrkf4nEPhY1NWg6FMveW+2FrlIGu7rohcRCHnPs
41pNuVAQ5JA=
=tomq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQAR5myh9+71yA2DNAQH8JAP9HKl0oj+kluFZEglnsrlB9gaCghc40eX7
RD4ZXAlIZ8kjAMub2pCCm9XPfDHDTdurhiewR3UCwZIfOP5TfcVCWYCv60J2SQZ5
mATeO4JT4Fssvhkm0OcwWXfAdAHT5owrFWtnGIob8BrIqPZmDfNsbM3u/hgRMTkW
8r4q/2XK7hs=
=dM2c
-----END PGP SIGNATURE-----