-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities

   Original release date: January 13, 2004
   Last revised: --
   Source: CERT/CC, NISCC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Many  software  and  hardware  systems  that  implement  the H.323
       protocol

       Examples include
          + Voice over Internet Protocol (VoIP) devices and software
          + Video conferencing equipment and software
          + Session Initiation Protocol (SIP) devices and software
          + Media Gateway Control Protocol (MGCP) devices and software
          + Other  networking  equipment  that  may process H.323 traffic
            (e.g., routers and firewalls)

Overview

   A   number   of   vulnerabilities  have  been  discovered  in  various
   implementations of the multimedia telephony protocol H.323. Voice over
   Internet Protocol (VoIP) and video conferencing equipment and software
   can  use  these  protocols  to  communicate over a variety of computer
   networks.

I. Description

   The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
   has    reported   multiple   vulnerabilities   in   different   vendor
   implementations  of  the multimedia telephony protocol H.323. H.323 is
   an  international  standard  protocol,  published by the International
   Telecommunications  Union,  used  to  facilitate  communication  among
   telephony  and  multimedia  systems.  Examples of such systems include
   VoIP,  video-conferencing  equipment,  and network devices that manage
   H.323  traffic.  A test suite developed by NISCC and the University of
   Oulu   Security   Programming   Group  (OUSPG)  has  exposed  multiple
   vulnerabilities  in a variety of implementations of the H.323 protocol
   (specifically its connection setup sub-protocol H.225.0).

   Information about individual vendor H.323 implementations is available
   in the Vendor Information section below, and in the Vendor Information
   section of NISCC Vulnerability Advisory 006489/H323.

   The  U.K.  National  Infrastructure  Security  Co-ordination Centre is
   tracking  these  vulnerabilities as NISCC/006489/H.323. The CERT/CC is
   tracking this issue as VU#749342. This reference number corresponds to
   CVE  candidate  CAN-2003-0819,  as  referenced  in  Microsoft Security
   Bulletin MS04-001.

II. Impact

   Exploitation  of  these vulnerabilities may result in the execution of
   arbitrary  code  or cause a denial of service, which in some cases may
   require a system reboot.

III. Solution

Apply a patch or upgrade

   Appendix  A  and  the  Systems  Affected section of Vulnerability Note
   VU#749342  contain  information provided by vendors for this advisory
   (<http://www.kb.cert.org/vuls/id/749342#systems>).

   However,  as  vendors  report  new information to the CERT/CC, we will
   only  update  VU#749342. If a particular vendor is not listed, we have
   not received their comments. Please contact your vendor directly.

Filter network traffic

   Sites  are  encouraged to apply network packet filters to block access
   to  the  H.323  services  at  network  borders.  This can minimize the
   potential  of  denial-of-service  attacks originating from outside the
   perimeter. The specific services that should be filtered include

     * 1720/TCP
     * 1720/UDP

   If  access  cannot  be  filtered at the network perimeter, the CERT/CC
   recommends  limiting  access to only those external hosts that require
   H.323  for normal operation. As a general rule, filtering all types of
   network  traffic  that  are  not  required  for  normal  operation  is
   recommended.

   It  is important to note that some firewalls process H.323 packets and
   may  themselves  be  vulnerable  to  attack.  As  noted in some vendor
   recommendations   like   Cisco  Security  Advisory  20040113-h323  and
   Microsoft  Security Bulletin MS04-001, certain sites may actually want
   to disable application layer inspection of H.323 network packets.

   Protecting  your  infrastructure  against  these  vulnerabilities  may
   require careful coordination among application, computer, network, and
   telephony  administrators.  You  may  have  to  make tradeoffs between
   security and functionality until vulnerable products can be updated.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  Please  see  the  Systems Affected section of Vulnerability
   Note   VU#749342   and   the   Vendor  Information  section  of  NISCC
   Vulnerability   Advisory   006489/H323   for  the  latest  information
   regarding the response of the vendor community to this issue.

3Com

     No  statement is currently available from the vendor regarding this
     vulnerability.

Alcatel

     No  statement is currently available from the vendor regarding this
     vulnerability.

Apple Computer Inc.

     Apple:  Not Vulnerable. Mac OS X and Mac OS X Server do not contain
     the issue described in this note.

AT&T

     No  statement is currently available from the vendor regarding this
     vulnerability.

Avaya

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Borderware

     No  statement is currently available from the vendor regarding this
     vulnerability.

Check Point

     No  statement is currently available from the vendor regarding this
     vulnerability.

BSDI

     No  statement is currently available from the vendor regarding this
     vulnerability.

Cisco Systems Inc.

     Please see
     http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

Clavister

     No  statement is currently available from the vendor regarding this
     vulnerability.

Computer Associates

     No  statement is currently available from the vendor regarding this
     vulnerability.

Cyberguard

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Debian

     No  statement is currently available from the vendor regarding this
     vulnerability.

D-Link Systems

     No  statement is currently available from the vendor regarding this
     vulnerability.

Conectiva

     No  statement is currently available from the vendor regarding this
     vulnerability.

EMC Corporation

     No  statement is currently available from the vendor regarding this
     vulnerability.

Engarde

     No  statement is currently available from the vendor regarding this
     vulnerability.

eSoft

     We  don't  have an H.323 implementation and thus aren't affected by
     this.

Extreme Networks

     No  statement is currently available from the vendor regarding this
     vulnerability.

F5 Networks

     No  statement is currently available from the vendor regarding this
     vulnerability.

Foundry Networks Inc.

     No  statement is currently available from the vendor regarding this
     vulnerability.

FreeBSD

     No  statement is currently available from the vendor regarding this
     vulnerability.

Fujitsu

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Global Technology Associates

     No  statement is currently available from the vendor regarding this
     vulnerability.

Hitachi

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Hewlett-Packard Company

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Ingrian Networks

     No  statement is currently available from the vendor regarding this
     vulnerability.

Intel

     No  statement is currently available from the vendor regarding this
     vulnerability.

Intoto

     No  statement is currently available from the vendor regarding this
     vulnerability.

Juniper Networks

     No  statement is currently available from the vendor regarding this
     vulnerability.

Lachman

     No  statement is currently available from the vendor regarding this
     vulnerability.

Linksys

     No  statement is currently available from the vendor regarding this
     vulnerability.

Lotus Software

     No  statement is currently available from the vendor regarding this
     vulnerability.

Lucent Technologies

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Microsoft Corporation

     Please see
     http://www.microsoft.com/technet/security/bulletin/MS04-001.asp

MontaVista Software

     No  statement is currently available from the vendor regarding this
     vulnerability.

MandrakeSoft

     No  statement is currently available from the vendor regarding this
     vulnerability.

Multi-Tech Systems Inc.

     No  statement is currently available from the vendor regarding this
     vulnerability.

NEC Corporation

     No  statement is currently available from the vendor regarding this
     vulnerability.

NetBSD

     NetBSD  does  not  ship  any  H.323  implementations as part of the
     Operating System.

     There  are a number of third-party implementations available in the
     pkgsrc  system.  As  these  products are found to be vulnerable, or
     updated,   the   packages   will   be   updated   accordingly.  The
     audit-packages  mechanism can be used to check for known-vulnerable
     package versions.

Netfilter

     No  statement is currently available from the vendor regarding this
     vulnerability.

NetScreen

     No  statement is currently available from the vendor regarding this
     vulnerability.

Network Appliance

     No  statement is currently available from the vendor regarding this
     vulnerability.

Nokia

     No  statement is currently available from the vendor regarding this
     vulnerability.

Nortel Networks

     The  following  Nortel  Networks  Generally  Available products and
     solutions   are   potentially   affected   by  the  vulnerabilities
     identified  in  NISCC  Vulnerability  Advisory 006489/H323 and CERT
     VU#749342:

     Business Communications Manager (BCM) (all versions) is potentially
     affected;  more  information is available in Product Advisory Alert
     No. PAA 2003-0392-Global.

     Succession  1000  IP  Trunk  and  IP  Peer  Networking,  and 802.11
     Wireless  IP  Gateway are potentially affected; more information is
     available in Product Advisory Alert No. PAA-2003-0465-Global.

     For more information please contact

     North America: 1-800-4NORTEL or 1-800-466-7835
     Europe, Middle East and Africa: 00800 8008 9009,
     or +44 (0) 870 907 9009

     Contacts for other regions are available at

     http://www.nortelnetworks.com/help/contact/global/

     Or visit the eService portal at http://www.nortelnetworks.com/cs
     under Advanced Search.

     If  you  are a channel partner, more information can be found under

     http://www.nortelnetworks.com/pic

     under Advanced Search.

Novell

     No  statement is currently available from the vendor regarding this
     vulnerability.

Objective Systems Inc.

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

OpenBSD

     No  statement is currently available from the vendor regarding this
     vulnerability.

Openwall GNU/*/Linux

     No  statement is currently available from the vendor regarding this
     vulnerability.

RadVision

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Red Hat Inc.

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Oracle Corporation

     No  statement is currently available from the vendor regarding this
     vulnerability.

Riverstone Networks

     No  statement is currently available from the vendor regarding this
     vulnerability.

Secure Computing Corporation

     No  statement is currently available from the vendor regarding this
     vulnerability.

SecureWorks

     No  statement is currently available from the vendor regarding this
     vulnerability.

Sequent

     No  statement is currently available from the vendor regarding this
     vulnerability.

Sony Corporation

     No  statement is currently available from the vendor regarding this
     vulnerability.

Stonesoft

     No  statement is currently available from the vendor regarding this
     vulnerability.

Sun Microsystems Inc.

     Sun  SNMP  does  not  provide  support  for  H.323,  so  we are not
     vulnerable.  And so far we have not found any bundled products that
     are   affected   by   this  vulnerability.  We  are  also  actively
     investigating  our  unbundled products to see if they are affected.
     Updates   will  be  provided  to  this  statement  as  they  become
     available.

SuSE Inc.

     No  statement is currently available from the vendor regarding this
     vulnerability.

Symantec Corporation

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Unisys

     No  statement is currently available from the vendor regarding this
     vulnerability.

TandBerg

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Tumbleweed Communications Corp.

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

TurboLinux

     No  statement is currently available from the vendor regarding this
     vulnerability.

uniGone

     Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
     http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

WatchGuard

     No  statement is currently available from the vendor regarding this
     vulnerability.

Wirex

     No  statement is currently available from the vendor regarding this
     vulnerability.

Wind River Systems Inc.

     No  statement is currently available from the vendor regarding this
     vulnerability.

Xerox

     No  statement is currently available from the vendor regarding this
     vulnerability.

ZyXEL

     No  statement is currently available from the vendor regarding this
     vulnerability.
     _________________________________________________________________

   The CERT Coordination Center thanks the NISCC Vulnerability Management
   Team and the University of Oulu Security Programming Group (OUSPG) for
   coordinating  the  discovery  and  release of the technical details of
   this issue.
     _________________________________________________________________

   Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J.
   McDowell, Shawn V. Hernan and Jason A. Rafail
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2004-01.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2004 Carnegie Mellon University.

   Revision History
January 13, 2004:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT
BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh
AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77
KeVgAqcfP2M=
=p0GQ
-----END PGP SIGNATURE-----