A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocol H.323. Voice over Internet Protocol (VoIP) and video conferencing equipment and software can use these protocols to communicate over a variety of computer networks. . . .
CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities

Original release date: January 13, 2004
Last revised: --
Source: CERT/CC, NISCC

A complete revision history can be found at the end of this file.

Systems Affected

* Many software and hardware systems that implement the H.323
protocol

Examples include
+ Voice over Internet Protocol (VoIP) devices and software
+ Video conferencing equipment and software
+ Session Initiation Protocol (SIP) devices and software
+ Media Gateway Control Protocol (MGCP) devices and software
+ Other networking equipment that may process H.323 traffic
(e.g., routers and firewalls)

Overview

A number of vulnerabilities have been discovered in various
implementations of the multimedia telephony protocol H.323. Voice over
Internet Protocol (VoIP) and video conferencing equipment and software
can use these protocols to communicate over a variety of computer
networks.

I. Description

The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
has reported multiple vulnerabilities in different vendor
implementations of the multimedia telephony protocol H.323. H.323 is
an international standard protocol, published by the International
Telecommunications Union, used to facilitate communication among
telephony and multimedia systems. Examples of such systems include
VoIP, video-conferencing equipment, and network devices that manage
H.323 traffic. A test suite developed by NISCC and the University of
Oulu Security Programming Group (OUSPG) has exposed multiple
vulnerabilities in a variety of implementations of the H.323 protocol
(specifically its connection setup sub-protocol H.225.0).

Information about individual vendor H.323 implementations is available
in the Vendor Information section below, and in the Vendor Information
section of NISCC Vulnerability Advisory 006489/H323.

The U.K. National Infrastructure Security Co-ordination Centre is
tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is
tracking this issue as VU#749342. This reference number corresponds to
CVE candidate CAN-2003-0819, as referenced in Microsoft Security
Bulletin MS04-001.

II. Impact

Exploitation of these vulnerabilities may result in the execution of
arbitrary code or cause a denial of service, which in some cases may
require a system reboot.

III. Solution

Apply a patch or upgrade

Appendix A and the Systems Affected section of Vulnerability Note
VU#749342 contain information provided by vendors for this advisory
( <cert>).

However, as vendors report new information to the CERT/CC, we will
only update VU#749342. If a particular vendor is not listed, we have
not received their comments. Please contact your vendor directly.

Filter network traffic

Sites are encouraged to apply network packet filters to block access
to the H.323 services at network borders. This can minimize the
potential of denial-of-service attacks originating from outside the
perimeter. The specific services that should be filtered include

* 1720/TCP
* 1720/UDP

If access cannot be filtered at the network perimeter, the CERT/CC
recommends limiting access to only those external hosts that require
H.323 for normal operation. As a general rule, filtering all types of
network traffic that are not required for normal operation is
recommended.

It is important to note that some firewalls process H.323 packets and
may themselves be vulnerable to attack. As noted in some vendor
recommendations like Cisco Security Advisory 20040113-h323 and
Microsoft Security Bulletin MS04-001, certain sites may actually want
to disable application layer inspection of H.323 network packets.

Protecting your infrastructure against these vulnerabilities may
require careful coordination among application, computer, network, and
telephony administrators. You may have to make tradeoffs between
security and functionality until vulnerable products can be updated.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. Please see the Systems Affected section of Vulnerability
Note VU#749342 and the Vendor Information section of NISCC
Vulnerability Advisory 006489/H323 for the latest information
regarding the response of the vendor community to this issue.

3Com

No statement is currently available from the vendor regarding this
vulnerability.

Alcatel

No statement is currently available from the vendor regarding this
vulnerability.

Apple Computer Inc.

Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain
the issue described in this note.

AT&T

No statement is currently available from the vendor regarding this
vulnerability.

Avaya

Please see the NISCC Vulnerability Advisory 006489/H323 at

Borderware

No statement is currently available from the vendor regarding this
vulnerability.

Check Point

No statement is currently available from the vendor regarding this
vulnerability.

BSDI

No statement is currently available from the vendor regarding this
vulnerability.

Cisco Systems Inc.

Please see
https://www.cisco.com/site/us/en/index.html

Clavister

No statement is currently available from the vendor regarding this
vulnerability.

Computer Associates

No statement is currently available from the vendor regarding this
vulnerability.

Cyberguard

Please see the NISCC Vulnerability Advisory 006489/H323 at

Debian

No statement is currently available from the vendor regarding this
vulnerability.

D-Link Systems

No statement is currently available from the vendor regarding this
vulnerability.

Conectiva

No statement is currently available from the vendor regarding this
vulnerability.

EMC Corporation

No statement is currently available from the vendor regarding this
vulnerability.

Engarde

No statement is currently available from the vendor regarding this
vulnerability.

eSoft

We don't have an H.323 implementation and thus aren't affected by
this.

Extreme Networks

No statement is currently available from the vendor regarding this
vulnerability.

F5 Networks

No statement is currently available from the vendor regarding this
vulnerability.

Foundry Networks Inc.

No statement is currently available from the vendor regarding this
vulnerability.

FreeBSD

No statement is currently available from the vendor regarding this
vulnerability.

Fujitsu

Please see the NISCC Vulnerability Advisory 006489/H323 at

Global Technology Associates

No statement is currently available from the vendor regarding this
vulnerability.

Hitachi

Please see the NISCC Vulnerability Advisory 006489/H323 at

Hewlett-Packard Company

Please see the NISCC Vulnerability Advisory 006489/H323 at

Ingrian Networks

No statement is currently available from the vendor regarding this
vulnerability.

Intel

No statement is currently available from the vendor regarding this
vulnerability.

Intoto

No statement is currently available from the vendor regarding this
vulnerability.

Juniper Networks

No statement is currently available from the vendor regarding this
vulnerability.

Lachman

No statement is currently available from the vendor regarding this
vulnerability.

Linksys

No statement is currently available from the vendor regarding this
vulnerability.

Lotus Software

No statement is currently available from the vendor regarding this
vulnerability.

Lucent Technologies

Please see the NISCC Vulnerability Advisory 006489/H323 at

Microsoft Corporation

Please see
/en-us/

MontaVista Software

No statement is currently available from the vendor regarding this
vulnerability.

MandrakeSoft

No statement is currently available from the vendor regarding this
vulnerability.

Multi-Tech Systems Inc.

No statement is currently available from the vendor regarding this
vulnerability.

NEC Corporation

No statement is currently available from the vendor regarding this
vulnerability.

NetBSD

NetBSD does not ship any H.323 implementations as part of the
Operating System.

There are a number of third-party implementations available in the
pkgsrc system. As these products are found to be vulnerable, or
updated, the packages will be updated accordingly. The
audit-packages mechanism can be used to check for known-vulnerable
package versions.

Netfilter

No statement is currently available from the vendor regarding this
vulnerability.

NetScreen

No statement is currently available from the vendor regarding this
vulnerability.

Network Appliance

No statement is currently available from the vendor regarding this
vulnerability.

Nokia

No statement is currently available from the vendor regarding this
vulnerability.

Nortel Networks

The following Nortel Networks Generally Available products and
solutions are potentially affected by the vulnerabilities
identified in NISCC Vulnerability Advisory 006489/H323 and CERT
VU#749342:

Business Communications Manager (BCM) (all versions) is potentially
affected; more information is available in Product Advisory Alert
No. PAA 2003-0392-Global.

Succession 1000 IP Trunk and IP Peer Networking, and 802.11
Wireless IP Gateway are potentially affected; more information is
available in Product Advisory Alert No. PAA-2003-0465-Global.

For more information please contact

North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009,
or +44 (0) 870 907 9009

Contacts for other regions are available at

https://www.nortelnetworks.com/corporate/global.html

Or visit the eService portal at
under Advanced Search.

If you are a channel partner, more information can be found under

under Advanced Search.

Novell

No statement is currently available from the vendor regarding this
vulnerability.

Objective Systems Inc.

Please see the NISCC Vulnerability Advisory 006489/H323 at

OpenBSD

No statement is currently available from the vendor regarding this
vulnerability.

Openwall GNU/*/Linux

No statement is currently available from the vendor regarding this
vulnerability.

RadVision

Please see the NISCC Vulnerability Advisory 006489/H323 at

Red Hat Inc.

Please see the NISCC Vulnerability Advisory 006489/H323 at

Oracle Corporation

No statement is currently available from the vendor regarding this
vulnerability.

Riverstone Networks

No statement is currently available from the vendor regarding this
vulnerability.

Secure Computing Corporation

No statement is currently available from the vendor regarding this
vulnerability.

SecureWorks

No statement is currently available from the vendor regarding this
vulnerability.

Sequent

No statement is currently available from the vendor regarding this
vulnerability.

Sony Corporation

No statement is currently available from the vendor regarding this
vulnerability.

Stonesoft

No statement is currently available from the vendor regarding this
vulnerability.

Sun Microsystems Inc.

Sun SNMP does not provide support for H.323, so we are not
vulnerable. And so far we have not found any bundled products that
are affected by this vulnerability. We are also actively
investigating our unbundled products to see if they are affected.
Updates will be provided to this statement as they become
available.

SuSE Inc.

No statement is currently available from the vendor regarding this
vulnerability.

Symantec Corporation

Please see the NISCC Vulnerability Advisory 006489/H323 at

Unisys

No statement is currently available from the vendor regarding this
vulnerability.

TandBerg

Please see the NISCC Vulnerability Advisory 006489/H323 at

Tumbleweed Communications Corp.

Please see the NISCC Vulnerability Advisory 006489/H323 at

TurboLinux

No statement is currently available from the vendor regarding this
vulnerability.

uniGone

Please see the NISCC Vulnerability Advisory 006489/H323 at

WatchGuard

No statement is currently available from the vendor regarding this
vulnerability.

Wirex

No statement is currently available from the vendor regarding this
vulnerability.

Wind River Systems Inc.

No statement is currently available from the vendor regarding this
vulnerability.

Xerox

No statement is currently available from the vendor regarding this
vulnerability.

ZyXEL

No statement is currently available from the vendor regarding this
vulnerability.
_________________________________________________________________

The CERT Coordination Center thanks the NISCC Vulnerability Management
Team and the University of Oulu Security Programming Group (OUSPG) for
coordinating the discovery and release of the technical details of
this issue.
_________________________________________________________________

Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J.
McDowell, Shawn V. Hernan and Jason A. Rafail
______________________________________________________________________

This document is available from:
2004 CERT Advisories
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
/about/divisions/cert/index.cfm

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
/about/divisions/cert/index.cfm

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2004 Carnegie Mellon University.

Revision History
January 13, 2004: Initial release