[NEWS] Vulnerabilities in H.323 Message Processing
From: SecuriTeam (support_at_securiteam.com)
Date: 01/13/04
- Previous message: SecuriTeam: "[EXPL] LFTP Remote Stack-Based Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Jan 2004 18:44:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerabilities in H.323 Message Processing
------------------------------------------------------------------------
SUMMARY
Multiple Cisco products contain vulnerabilities in the processing of H.323
messages, which are typically used in Voice over Internet Protocol (VoIP)
or multimedia applications. A test suite has been developed by the
University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOSŪ Software
Release 11.3T. Release 11.3T and all later Cisco IOS releases are affected
if configured for various types of voice/multimedia application support.
Vulnerable devices include those configured as an H.323 network element as
well as those configured for IOS Network Address Translation (NAT) and
those configured for IOS Firewall (also known as Context-Based Access
Control [CBAC]).
Other Cisco voice products that do not run Cisco IOS may also be affected.
These vulnerabilities can be exploited repeatedly to produce a denial of
service (DoS).
DETAILS
Affected Products:
All Cisco products that run Cisco IOS software and support H.323 packet
processing are affected. This may include devices configured for Session
Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP), since
support for these protocols can enable support for H.323. Cisco AS5xxx
series platforms are vulnerable regardless of their configuration because
of a bug that enables H.323 but does not allow the protocol to be turned
off.
Other affected products that do not run Cisco IOS software include:
* Cisco CallManager versions 3.0 through 3.3
* Cisco Conference Connection (CCC)
* Cisco Internet Service Node (ISN)
* Cisco BTS 10200 Softswitch
* Cisco 7905 IP Phone H.323 Software Version 1.00
* Cisco ATA 18x series products running H.323/SIP loads with versions
earlier than 2.16.1
Note: Cisco ATA 18x series products is only vulnerable when configured for
H.323. They are not vulnerable when configured for SIP.
To determine the software running on a Cisco product, log in to the device
and issue the show version command to display the system banner. Cisco IOS
Software will identify itself as "Internetwork Operating System Software"
or simply "IOS". On the next line of output, the image name will be
displayed between parentheses, followed by "Version" and the IOS release
name. Other Cisco devices will not have the show version command or will
give different output.
The following example identifies a Cisco product running Cisco IOS
Software Release 12.0(3) with an installed image name of C2500-IS-L. The
release train label is 12.0.
Cisco Internetwork Operating System Software IOS (TM)
2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
The following example shows a product running Cisco IOS Software Release
12.0(2a)T1 with an image name of C2600-JS-MZ.
Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1)
Additional information about Cisco IOS version naming is available at
<http://www.cisco.com/warp/public/620/1.html>
http://www.cisco.com/warp/public/620/1.html.
If you are running Cisco IOS versions 10.x, 11.1, 11.2 or earlier, you are
not affected.
Cisco IOS Processing of H.323 Traffic
There are three areas where IOS can be vulnerable to malformed H.323
packets. Please read the following sections to determine if your router is
affected.
Note: If you choose to block H.323 traffic using an access list to prevent
H.323 traffic from entering the router, then you are protected and need
not bother with the details below. Please see the Workarounds section for
more details on how to do this. Cisco recommends that customers upgrade to
an appropriate IOS image at their earliest convenience.
To determine if your Cisco IOS device is processing H.323 traffic and is
possibly vulnerable, it is necessary to understand the three different
ways that Cisco IOS software processes H.323 traffic.
1. H.323 Endpoints
This includes H.323 Gateway, H.323 Gatekeeper, H.323 Gatekeeper with Proxy
and ALL of the AS5xxx platforms.
From the enable prompt, run the show process cpu command and look for a
process called CCH323_CT. In later versions of Cisco IOS software, you can
execute the show process cpu | include CCH323_CT .
Router# show process cpu | include CCH323_CT
112 Mwe 60F3E5E0 295112 239401 123220072/24000 0 CCH323_CT
Note: Not all access server images support H.323. Only images with a
"PLUS" feature set (such as IP PLUS, ENTERPRISE PLUS) support voice and
will have the CCH323_CT process running.
* If you see the process called CCH323_CT, your router is affected.
Please consult the IOS table to determine which version is appropriate for
your device. If you cannot immediately upgrade, the following workarounds
may work for you
o If you are not using H.323 within your network, an inbound access list
to block TCP port 1720 will protect your router, but it is recommended
that you upgrade as soon as is feasible.
o If you are using H.323, then you can configure an access list to
restrict TCP port 1720 traffic to known, trusted IP addresses. Again,
upgrading as soon as is feasible is recommended.
* If you do NOT see the CCH323_CT process, you may still be vulnerable.
Some configurations of H.323 Gatekeeper are vulnerable. Affected
configurations are those gatekeepers configured for H.323 Proxy. To check
to see if you are configured as a gatekeeper, check your configuration for
the line "proxy h323" in the global configuration. If you have "proxy
h323" configured, then you are vulnerable.
o If you are not using GK proxy functionality, you can disable proxy
functionality by doing the following configuration.
Note: This will drop all calls being managed by the gatekeeper. Perform
this only when you can safely stop gatekeeper functionality.
Router(config)#no proxy h323
Router(config)#gatekeeper
Router(config-gk)#shutdown
Router(config-gk)#no shutdown
o If you are using H.323 proxy, your options are to either configure an
access list to restrict TCP port 1720 traffic to known, trusted IP
addresses, or to upgrade your IOS version.
2. IOS Firewall (Context-Based Access Control)
If your IOS device is configured to use IOS Firewall (IOS FW, or
Context-Based Access Control [CBAC]), check to see if IOS FW is running on
the device by issuing the show ip inspect all command. Look for the
following lines indicating that IOS FW is applied to an interface. In this
case, inspection rule "<NAME>" is applied inbound to interface
FastEthernet0/0.
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is <NAME>
tcp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
Outgoing inspection rule is not set
* To turn off inbound IOS FW (CBAC) on interface FastEthernet0/0, enter
the following commands in interface configuration mode.
Router#config t
Router(config)#Interface FastEthernet 0/0
Router(config-if)#no ip inspect <NAME> in
* If outbound IOS FW (CBAC) is configured on FastEthernet0/0, enter the
following commands in interface configuration mode.
Router#config t
Router(config)#Interface FastEthernet 0/0
Router(config-if)#no ip inspect <NAME> out
* To turn off the IOS FW (CBAC) processing of H.323 messages only while
leaving other IOS FW behavior unaffected, enter the following command in
global configuration mode.
Router(config)#no ip inspect name <NAME> h323
Cisco recommends that you upgrade your IOS as soon as possible.
3. IOS Network Address Translation (NAT)
If you have configured NAT rules and have NAT activated on any interface,
check to see if NAT is configured and activated on the device by issuing
the show ip nat statistics command.
Router#show ip nat statistics
Total active translations: 3 (3 static, 0 dynamic; 0 extended
Outside interfaces
Inside interfaces
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
* If there is no output or the output doesn't list any inside or outside
interfaces (as in the example above), then the IOS device is not doing NAT
and you are not vulnerable because of NAT.
* If the output does list any inside or outside interfaces, then you may
be vulnerable because of NAT. An example is shown below.
Total active translations: 3 (3 static, 0 dynamic; 0 extended
Outside interfaces:
Serial3/0
Inside interfaces:
Serial1/0
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
* You are not vulnerable because of NAT if your configuration only
contains Port Address Translation (PAT) statements and your PAT statements
do not explicitly specify TCP port 1720 in your PAT translations.
o To see if you are doing only PAT, check to see if your IOS NAT
configuration contains any of the following NAT rules without the
overload, route-map, or extendable keywords.
ip nat outside source ...
ip nat inside destination ...
ip nat inside source ...
If you see any of the above lines without the overload, route-map, or
extendable keywords, then you are vulnerable.
o To see if you are doing a static PAT for H.323 (TCP port 1720), look
for any lines with the following pattern.
ip nat (inside|outside) source static tcp
ip-addr (port|1720) ip-addr (1720|port)
The following examples would be vulnerable.
ip nat inside source static tcp 10.1.0.1 1720 10.2.0.1 5834
ip nat outside source static tcp 10.15.12.1 6884 10.6.7.1 1720
ip nat inside source static tcp 10.1.0.17 1720 10.33.14.1 1720
The following examples would not be vulnerable.
ip nat inside source static tcp 10.1.0.17 53 10.33.14.1 53
ip nat outside source static udp 10.1.14.75 1720 10.131.1.1 6888
If any of your configuration lines are vulnerable, please consult the
Workarounds section.
To determine if a particular Cisco IOS release is vulnerable, consult the
list below in the Software Versions and Fixes section to determine if the
product is running an affected version of software.
Unaffected Products:
The following list of Cisco products is provided specifically to list
those products that customers may also be concerned about in regards to
these vulnerabilities. The products below are not affected either because
they are not vulnerable or because they do not support H.323 processing.
Any other Cisco products that have not been identified as vulnerable or
have been omitted from the list below should be considered as not
vulnerable, as no other Cisco products are known to be affected by these
vulnerabilities.
* Cisco IP Phone models 7960, 7940, 7912, 7910, 7902, 30VIP, and 12SP+
* Cisco uOne (All Versions)
* VG248 Analog Phone Gateway
* Cisco Unity Server
* Catalyst 6000 WS-X6608 Voice Services Module and WS-X6624 FXS Analog
Station Interface Module
* PGW2200, SC2200, VSC3000 and H.323 Signalling Interface (HSI)
* Cisco IP/VC 3500 Series
* IP/TV series
* Catalyst 19xx, 28xx, 290x, 292x, 2948g, 3000, 3200, 3900, 4000, 4912g,
and 5000 series switches
* Catalyst 2900XL, 2900XL-LRE, 2940, 2950, 2950-LRE, 2955, 2970, 3500XL,
3550, and 3750 series switches
* Cache Engine series
* Content Engine series
* SN5400 series storage routers
* VPN 3000 and VPN 5000 series VPN concentrators
* Voice Interworking Service Module (VISM)
* VCO/4K
* Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS
Module
* BR340, WGB340, AP340, AP350, and BR350 Cisco/Aironet wireless products
* Cisco Aironet 1100 series, 1200 series, and 1400 series wireless
products
* Cisco PIX Firewall
* Cisco Catalyst 6500 Series Firewall Services Module
* Cisco 6xx series DSL modems running CBOS
* Cisco 7xx series routers
* Cisco 12000 series routers
* Cisco 10000 series routers
* 61xx and 62xx series DSLAMs
* Cisco CSS11xxx series (including SSL Accelerator)
* LocalDirector
* BPX, IGX, MGX WAN switches, and the Service Expansion Shelf
* Cisco Intelligent Contact Management (ICM)
* Cisco ONS 15xxx platforms
Technical Details:
H.323 is the International Telecommunications Union (ITU) standard for
real-time multimedia communications and conferencing over packet-based
(IP) networks. A subset of the H.323 standard is H.225.0, a standard used
for call signalling protocols and media stream packetization over IP
networks.
The H.225.0 standard defines message formats for call setup, call control,
and communications using Abstract Syntax Notation One (ASN.1). ITU
Standard Q.931, which was developed for call signalling purposes in ISDN
networks, is also used as the standard for the call setup messages within
H.225.0.
The University of Oulu Secure Programming Group (OUSPG) has created a test
suite for H.323, more specifically the H.225.0 and Q.931 messages, to help
support proactive discovery and resolution of vulnerabilities in the
processing of H.323 messages. The test suite is generally used to analyze
a protocol and produce messages that probe various design limits within an
implementation of a protocol. Test packets containing overly long or
exceptional elements in various fields of the H.323 Protocol Data Units
(PDUs) can be programmatically generated and then transmitted to a network
device under test. The PROTOS test suite for H.323, as distributed,
contains approximately 4500 individual test cases.
The vulnerabilities discovered in the affected products can be easily and
repeatedly demonstrated with the use of the OUSPG PROTOS Test Suite for
H.323. The largest group of vulnerabilities described in this advisory
result from insufficient checking of H.225.0 messages as they are received
and processed by an affected system. Malformed H.225.0 messages received
by affected systems can cause various parsing and processing functions to
fail, which may result in a system crash and reload (or reboot) in most
circumstances.
Typically, H.323 network elements implement call signalling over both UDP
and TCP transports on port 1720. The H.323 test suite from OUSPG only
tests the TCP implementation on port 1720 by default.
Workarounds:
Workarounds for H.323 endpoint and proxy configurations
Affected devices that must run H.323 are vulnerable, and there are not any
specific configurations that can be used to protect them. Applying access
lists on interfaces that should not accept H.323 traffic and putting
firewalls in strategic locations may greatly reduce exposure until an
upgrade can be performed.
The Voice over IP SAFE paper talks about a variety of best practices that
should keep your voice network isolated from the Internet. This reduces
the risk of exposure, although attacks from within the local network
should always be considered a potential risk.
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml> SAFE: IP Telephony Security in Depth
Below is an example of an access list to block H.323 management traffic
from anywhere but a permitted network. In this example, the permitted
network is 172.16.0.0/16.
!--- Permit access from any IP address in the 172.16.0.0/16
!--- network to anywhere on port 1720.
access-list 101 permit tcp 172.16.0.0 0.0.255.255 any eq 1720
!--- Permit access from anywhere to a host in the
!--- 172.16.0.0/26 network on port 1720.
access-list 101 permit tcp any 172.16.0.0 0.0.255.255 eq 1720
!--- Deny all traffic from port 1720.
access-list 101 deny tcp any eq 1720 any
!--- Deny all traffic to port 1720.
access-list 101 deny tcp any any eq 1720
!--- Permit all other traffic.
access-list 101 permit ip any any
Workarounds for IOS devices performing NAT on H.323 traffic
Cisco IOS devices that run an affected version of 12.1 or 12.1E code and
are configured to do static NAT are vulnerable to attacks with corrupted
packets being processed by NAT through the device. There are several
methods of reducing or removing the risk in these circumstances.
* Access lists for the outside interface
H.323 deep packet inspection is only done on packets with a source or
destination port of 1720. If it is not necessary to translate or accept
these packets, they can be blocked by an external device such as a
firewall, or by input access lists applied to the outside interface of the
device performing the NAT.
interface serial 0/0
ip nat outside
!--- This is used to indicate which interface
!--- this configuration should be applied to.
ip access-group 101 in
!
access-list 101 deny tcp any eq 1720 any
access-list 101 deny tcp any any eq 1720
access-list 101 permit ip any any
* Policy-based routing to block port 1720 traffic on static NAT
translations
Simple static translations allow through traffic on any port. If it is not
necessary to allow H.323 traffic through your static NAT configuration,
but applying access lists to your outside interface is not practical, you
may use policy-based routing to reroute traffic destined for port 1720.
Policy-based routing is processed before NAT.
In this example, the address 1.0.0.5 is an externally routable address for
which the router is performing NAT to a local network address.
interface Null0
no ip unreachables
!
interface Ethernet0/0
ip address 10.0.0.8 255.255.255.0
ip nat inside
!
interface Ethernet0/1
ip address 11.0.0.8 255.255.255.0
ip nat outside
ip policy route-map block-h323
ip nat inside source static 10.0.0.5 1.0.0.5
access-list 102 permit tcp any host 1.0.0.5 eq 1720
access-list 102 permit tcp any eq 1720 host 1.0.0.5
route-map block-h323 permit 10
match ip address 102
set interface Null0
* Blocking port 1720 using dynamic translations
Dynamic translations are vulnerable to attack from the outside address of
the original flow through the open translation, but can be timed out
quickly to reduce the risk of exposure with the ip nat translation
port-timeout tcp 1720 2 command. This times out the translation for port
1720 in 2 seconds, and may be too short for the necessary call setup
request to process.
NAT can be configured to not translate traffic sourced or destined to port
1720 with the use of route maps to match traffic instead of access lists.
The sample configuration listed below permits traffic sourced from the
10.0.0.0/24 network to be translated to an address within the NAT pool
"h323-test" except for traffic with a source or destination port of 1720.
Note: This will prevent users from using NAT for H.323-enabled
applications from their PC desktops, such as NetMeeting. It is critical to
understand your network and the applications in use on it when applying
this type of workaround.
interface Ethernet0/0
ip address 10.0.0.8 255.255.255.0
ip nat inside
!
interface Ethernet0/1
ip address 11.0.0.8 255.255.255.0
ip nat outside
ip nat pool h323-test 1.0.0.5 1.0.0.15 prefix-length 24
ip nat inside source route-map h323-block pool h323-test
access-list 101 deny tcp any any eq 1720
access-list 101 deny tcp any eq 1720 any
access-list 101 permit ip host 10.0.0.0 0.0.0.255
route-map h323-block permit 10
match ip address 101
Defining a Windows-based access control list to limit H.323 traffic from
only locally trusted hosts
A scripted workaround will be made available in order to create an IP
Security Policy on the host to allow only H.323 traffic from specifically
allowed sources. This workaround named IPSec-H323.exe should be posted to
Cisco.com the week of 13-January-2004.
ADDITIONAL INFORMATION
The complete advisory is available from:
<http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] LFTP Remote Stack-Based Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Vulnerability in Cisco IOS Embedded Call Processing Solutions
... 12.2T, 12.3 and 12.3T, when configured for the Cisco IOS Telephony Service ...
IOS code that supports, and is configured for ITS, CME or SRST. ... control IP Phones
using the Skinny Call Control Protocol. ... Using Access Lists ... (Securiteam) - Re: Cisco 1230 AP cDot11ClientAddress
... I know you can dump ARP the table from IOS with: ... The release notes for each
version of IOS has all the fixed bugs. ... don't think Cisco releases bug lists
of unfixed bugs. ... (alt.internet.wireless) - Re: nat into same address
... cisco 2621, 12.3ios ... ip nat inside source static 10.3.1.1 10.2.1.11
... (comp.dcom.sys.cisco) - Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server
... Vulnerabilities in Cisco IOS Secure Shell Server ... when configured to use
the IOS Secure Shell (SSH) server in combination ... The first vulnerability may
cause a device to reload when the IOS ... (Bugtraq) - [Full-disclosure] Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server
... Vulnerabilities in Cisco IOS Secure Shell Server ... when configured to use
the IOS Secure Shell (SSH) server in combination ... The first vulnerability may
cause a device to reload when the IOS ... (Full-Disclosure)
