Published:
13 January 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0029 -- NISCC Vulnerability Advisory 006489/H323 Vulnerability Issues in Implementations of the H.323 Protocol 14 January 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: H.323 Protocol Publisher: NISCC Impact: Denial of Service Execute Arbitrary Code/Commands Access Required: Remote Comment: H.323 is a protocol that supports inter-operability between vendor implementations of telephony and multimedia products across IP based networks. Vulnerable devices include network components such as firewalls, routers and proxies that support VoIP and videoconferencing. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------------------- UNIRAS (UK Govt CERT) ALERT - 01/04 dated 13.01.04 Time: 12:00 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - - ---------------------------------------------------------------------------------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - - ---------------------------------------------------------------------------------- Title ===== NISCC Vulnerability Advisory 006489/H323 Detail ====== Vulnerability Issues in Implementations of the H.323 Protocol Version Information - - ------------------- Advisory Reference 006489/H323 Release Date 13 January 2004 Last Revision 13 January 2004 Version Number 1.1 What is affected? - - ----------------- The vulnerabilities described in this advisory affect the network protocol H.323. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all. The web page detailing this vulnerability includes any vendor specific information that is available to us. Please see http://www.uniras.gov.uk/vuls/2004/006489/h323.htm for further information. Severity - - -------- The severity of these vulnerabilities varies by vendor. Please see the vendor section below for further information. Alternatively contact your vendor for product specific information. If exploited, these vulnerabilities could allow an attacker to create a Denial of Service condition. There are indications that it may be possible for an attacker to execute code as a result of a buffer overflow. Summary - - ------- During 2002 the University of Oulu Security Programming Group (OUSPG) discovered a number of implementation specific vulnerabilities in the Simple Network Management Protocol (SNMP). Subsequent to this discovery, NISCC has performed and commissioned further work on identifying implementation specific vulnerabilities in related protocols that are critical to the UK Critical National Infrastructure. One of these protocols is H.225 which is part of the H.323 family and commonly implemented as a component of multimedia applications such as Voice Over IP. OUSPG has produced a test suite for H.225 and employed it to validate their findings against a number of products from different vendors. The test results have been confirmed by testing performed by NISCC and the affected vendors contacted with the test results. These vendors' product lines cover a great deal of the existing critical information infrastructure worldwide and have therefore been addressed as a priority. However, NISCC has subsequently contacted other vendors whose products employ H.323 and provided them with tools with which to test these implementations. All users of network and multimedia equipment are recommended to take note of this advisory and carry out any remedial actions suggested by their vendor(s). This advisory can be viewed on-line at: http://www.uniras.gov.uk/vuls/2004/006489/h323.htm [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the URL above for updates to this notice.] Details - - ------- H.323 is an international standard protocol, published by the International Telecommunications Union, that supports inter-operability between vendor implementations of telephony and multimedia products across IP based networks. As such it is often supported on network perimeter and multimedia hardware such as video-conferencing equipment. The specific sub-component that has been tested, H.225, deals with the set-up of connections between H.323 devices. Further detail will be released as it becomes available. Solution - - -------- Please refer to the Vendor Information section of this advisory for platform specific remediation. Vendor Information - - ------------------ A list of vendors affected by this vulnerability is not currently available. Please visit the web site in order to check for updates. Contact Information - - ------------------- The NISCC Vulnerability Management Team can be contacted as follows: Email vulteam@niscc.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0) 20 7821 1330 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0) 20 7821 1686 Post Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.uniras.gov.uk/UNIRAS.asc Please note that UK government protectively marked material should not be sent to the email address above. If you wish to be added to our email distribution list please email your request to uniras@niscc.gov.uk. What is NISCC? - - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk/aboutniscc/index.htm. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. © 2004 Crown Copyright <End of NISCC Vulnerability Advisory> - - ---------------------------------------------------------------------------------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Office Hours: Mon - Fri: 08:30 - 17:00 Hrs Tel: +44 (0) 20 7821 1330 Ext 4511 Fax: +44 (0) 20 7821 1686 Outside of Office Hours: On Call Duty Officer: Tel: +44 (0) 20 7821 1330 and follow the prompts - - ---------------------------------------------------------------------------------- UNIRAS wishes to acknowledge the contributions of OUSPG for the information contained in this Briefing. - - ---------------------------------------------------------------------------------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - - ---------------------------------------------------------------------------------- <End of UNIRAS Briefing> - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQCVAwUBQAPa0Ipao72zK539AQENnAP9Ff3GtyOtiUtriuGBXQA9YIMdJyjYBO+X oCU7Q+DGK5mwJennTlb3ftowBX5NHZVzKn2UuoI/H2gHRkYEtiwAuQx6srrSD7cg rg/NFoA8ug5cIf0Q6q7WsYtaJVrkf4nEPhY1NWg6FMveW+2FrlIGu7rohcRCHnPs 41pNuVAQ5JA= =tomq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQAR5myh9+71yA2DNAQH8JAP9HKl0oj+kluFZEglnsrlB9gaCghc40eX7 RD4ZXAlIZ8kjAMub2pCCm9XPfDHDTdurhiewR3UCwZIfOP5TfcVCWYCv60J2SQZ5 mATeO4JT4Fssvhkm0OcwWXfAdAHT5owrFWtnGIob8BrIqPZmDfNsbM3u/hgRMTkW 8r4q/2XK7hs= =dM2c -----END PGP SIGNATURE-----