[NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/13/04

  • Next message: SecuriTeam: "[NT] Buffer Overrun in MDAC Function Could Allow Code Execution (MS04-003)" 
    To: list@securiteam.com
Date: 13 Jan 2004 19:39:02 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability Issues in Implementations of the H.323 Protocol (Generic)
    ------------------------------------------------------------------------

    SUMMARY

    During 2002, the University of Oulu Security Programming Group (OUSPG)
    discovered a number of implementation specific vulnerabilities in the
    Simple Network Management Protocol (SNMP). Subsequent to this discovery,
    NISCC has performed and commissioned further work on identifying
    implementation specific vulnerabilities in related protocols that are
    critical to the UK Critical National Infrastructure. One of these
    protocols is H.225 that is part of the H.323 family and commonly
    implemented as a component of multimedia applications such as Voice over
    IP.

    OUSPG has produced a test suite for H.225 and employed it to validate
    their findings against a number of products from different vendors. The
    test results have been confirmed by testing performed by NISCC and the
    affected vendors contacted with the test results. These vendors' product
    lines cover a great deal of the existing critical information
    infrastructure worldwide and have therefore been addressed as a priority.
    However, NISCC has subsequently contacted other vendors whose products
    employ H.323 and provided them with tools with which to test these
    implementations.

    All users of network and multimedia equipment are recommended to take note
    of this advisory and carry out any remedial actions suggested by their
    vendor(s).

    DETAILS

    What is Affected?
    The vulnerabilities described in this advisory affect the network protocol
    H.323. Many vendors include support for this protocol in their products
    and may be impacted to varying degrees, if at all. The web page detailing
    this vulnerability includes any vendor specific information that is
    available to us. Please see
    <http://www.uniras.gov.uk/vuls/2004/006489/h323.htm>
    http://www.uniras.gov.uk/vuls/2004/006489/h323.htm for further
    information.

    Severity
    The severity of these vulnerabilities varies by vendor. Please see the
    vendor section below for further information. Alternatively contact your
    vendor for product specific information.

    If exploited, these vulnerabilities could allow an attacker to create a
    Denial of Service condition. There are indications that it may be possible
    for an attacker to execute code because of a buffer overflow.

    Technical Details:
    H.323 is an international standard protocol, published by the
    International Telecommunications Union, that supports inter-operability
    between vendor implementations of telephony and multimedia products across
    IP based networks. As such, it is often supported on network perimeter and
    multimedia hardware such as video-conferencing equipment. The specific
    sub-component that has been tested, H.225, deals with the set-up of
    connections between H.323 devices.

    Vendor specific information will be released as it becomes available and
    if vendor permission has been received. Subscribers are advised to check
    the following URL regularly for updates:
     <http://www.uniras.gov.uk/vuls/2004/006489/h323.htm>
    http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

    Solution:
    Please refer to the Vendor Information section of this advisory for
    implementation specific remediation.

    Vendor Information:
    The following vendors have provided information about how their products
    are affected by these vulnerabilities.

    Apple
    Not vulnerable.

    Avaya Inc.
    Avaya is aware of this advisory and is investigating. Any additional
    information concerning Avaya products will be posted at
    <http://support.avaya.com/security> http://support.avaya.com/security.

    Cisco
    Cisco have released an advisory at the following URL:
    <http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

    Cyberguard
    Not vulnerable.

    Fujitsu
    Interstage, SystemWalker, SymfoWARE and TeamWARE family products are not
    affected by H.323 protocol. Other products are under investigation.

    Hewlett-Packard
    At the time of writing this document, HP is currently investigating the
    potential impact to HP's released Operating System software products.

    As further information becomes available HP will provide notice of the
    availability of any necessary patches through standard security bulletin
    announcements and be available from your normal HP Services support
    channel.

    Hitachi
    Hitachi products are not affected by this issue.

    Lucent
    Lucent Technologies is aware of this vulnerability advisory and is
    investigating any potential impact to its product portfolio. As further
    information becomes available, Lucent will provide information directly to
    its customers, if appropriate.

    Microsoft
    Microsoft has released an advisory at the following URL:
    <http://www.microsoft.com/technet/security/bulletin/ms04-001.asp>
    http://www.microsoft.com/technet/security/bulletin/ms04-001.asp

    Nortel
    The following Nortel Networks Generally Available products and solutions
    are potentially affected by the vulnerabilities identified in NISCC
    Vulnerability Advisory 006489/H323:

     * Business Communications Manager (BCM) (all versions) is potentially
    affected; more information is available in Product Advisory Alert No. PAA
    2003-0392-Global.

     * Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP
    Gateway are potentially affected; more information is available in Product
    Advisory Alert No. PAA-2003-0465-Global.

    For more information please contact North America: 1-800-4NORTEL or
    1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0)
    870 907 9009. Contacts for other regions are available at
    <http://www.nortelnetworks.com/help/contact/global/>
    http://www.nortelnetworks.com/help/contact/global/, or visit the eService
    portal at <http://www.nortelnetworks.com/cs>
    http://www.nortelnetworks.com/cs under Advanced Search.

    If you are a channel partner, more information can be found under
    <http://www.nortelnetworks.com/pic> http://www.nortelnetworks.com/pic
    under Advanced Search.

    Objective Systems, Inc.
    Not vulnerable.

    RADVISION
    The viaIP product line has been made invulnerable to the H.323
    vulnerability test over the course of 2003. All the currently shipping
    versions of the product line elements (including the MCU, GW and ECS
    products) are immune to the test. The respective version numbers are:

    MCU version 3.2 and above
    GW version 2.01 and above
    ECS version 3.2.2.2 and above

    For more information please contact RADVISION customer support.
    Information about how to contact customer support can be found at:
    <http://www.radvision.com/NBU/Customer+Support.htm>
    http://www.radvision.com/NBU/Customer+Support.htm.

    Red Hat
    Not vulnerable.

    Symantec
    Not vulnerable.

    Tandberg
    Some malformed H323 signalling can result in denial-of-service (DOS) for
    TANDBERG videoconferencing endpoints. The endpoints will appear to hang
    for a while, then restart automatically, returning to normal service.

    There are no known issues which involve compromising of audio or video in
    an encrypted conference, or other loss of sensitive data. We expect to
    have product update(s) resolving these known issues in Q2-2004.

    For further information on this issue contact: security@tandberg.net

    Tumbleweed
    Not vulnerable.

    uniGone
    Not vulnerable.

    ADDITIONAL INFORMATION

    The original advisory can be viewed on-line at
    <http://www.uniras.gov.uk/vuls/2004/006489/h323.htm>
    http://www.uniras.gov.uk/vuls/2004/006489/h323.htm.

    The information has been provided by <mailto:weld@vulnwatch.org> Chris
    Wysopal.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Buffer Overrun in MDAC Function Could Allow Code Execution (MS04-003)"

    Relevant Pages