__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CERT: Multiple H.323 Message Vulnerabilities [CERT Advisory CA-2004-01] January 16, 2004 20:00 GMT Number O-062 [REVISED 30 Jan 2004] [REVISED 26 Feb 2004] [REVISED 17 June 2004] ______________________________________________________________________________ PROBLEM: A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocol H.323. PLATFORM: Multimedia telephony protocol H.323 SunForum 3.2 (for Solaris 2.6, 7, 8, and 9) or earlier SunForum 3D 1.0 (for Solarie 8 and 9) DAMAGE: Exploitation of these vulnerabilities may result in the execution of arbitrary code or cause a denial of service, which in some cases may require a system reboot. SOLUTION: Install the security update. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A successful Denial of Service can have a ASSESSMENT: wide impact on operations. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-062.shtml ORIGINAL BULLETIN: CERT Advisory CA-2004-01 http://www.cert.org/advisories/CA-2004-01.html ADDITIONAL LINKS: Check Point H.323 Security Vulnerability of 1/25/04 http://www.checkpoint.com/techsupport/alerts/h323.html Debian Security Advisory DSA-448-1 http://www.debian.org/security/2004/dsa-448 Sun Alert ID: 57476 http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert %2F57476&zone_32=category%3Asecurity CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0819 NOTE: CIAC recommends monitoring CERT's web site for on-going vendor revisions to this bulletin. ______________________________________________________________________________ REVISION HISTORY: 01/30/04 - added a link to Check Point H.323 Security Vulnerability of 1/25/04. 02/26/04 - added a link to Debian Security Advisory DSA-448-1. 06/17/04 - added a link to Sun Alert ID: 57476. [***** Start CERT Advisory CA-2004-01 *****] CERTŪ Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities Original release date: January 13, 2004 Last revised: January 15, 2004 Source: CERT/CC, NISCC A complete revision history can be found at the end of this file. Systems Affected * Many software and hardware systems that implement the H.323 protocol Examples include * Voice over Internet Protocol (VoIP) devices and software * Video conferencing equipment and software * Session Initiation Protocol (SIP) devices and software * Media Gateway Control Protocol (MGCP) devices and software * Other networking equipment that may process H.323 traffic (e.g., routers and firewalls) Overview A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocol H.323. Voice over Internet Protocol (VoIP) and video conferencing equipment and software can use these protocols to communicate over a variety of computer networks. I. Description The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has reported multiple vulnerabilities in different vendor implementations of the multimedia telephony protocol H.323. H.323 is an international standard protocol, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. Examples of such systems include VoIP, video- conferencing equipment, and network devices that manage H.323 traffic. A test suite developed by NISCC and the University of Oulu Security Programming Group (OUSPG) has exposed multiple vulnerabilities in a variety of implementations of the H.323 protocol (specifically its connection setup sub-protocol H.225.0). Information about individual vendor H.323 implementations is available in the Vendor Information section below, and in the Vendor Information section of NISCC Vulnerability Advisory 006489/H323. The U.K. National Infrastructure Security Co-ordination Centre is tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is tracking this issue as VU#749342. This reference number corresponds to CVE candidate CAN-2003-0819, as referenced in Microsoft Security Bulletin MS04-001. II. Impact Exploitation of these vulnerabilities may result in the execution of arbitrary code or cause a denial of service, which in some cases may require a system reboot. III. Solution Apply a patch or upgrade Appendix A and the Systems Affected section of Vulnerability Note VU#749342 contain information provided by vendors for this advisory. However, as vendors report new information to the CERT/CC, we will only update VU#749342. If a particular vendor is not listed, we have not received their comments. Please contact your vendor directly. Filter network traffic Sites are encouraged to apply network packet filters to block access to the H.323 services at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be filtered include * 1720/TCP * 1720/UDP Note these are default ports only and may vary on a site-by-site basis. If access cannot be filtered at the network perimeter, the CERT/CC recommends limiting access to only those external hosts that require H.323 for normal operation. As a general rule, filtering all types of network traffic that are not required for normal operation is recommended. It is important to note that some firewalls process H.323 packets and may themselves be vulnerable to attack. As noted in some vendor recommendations like Cisco Security Advisory 20040113-h323 and Microsoft Security Bulletin MS04-001, certain sites may actually want to disable application layer inspection of H.323 network packets. Protecting your infrastructure against these vulnerabilities may require careful coordination among application, computer, network, and telephony administrators. You may have to make tradeoffs between security and functionality until vulnerable products can be updated. For example, blocking port 1720/udp on segments of a network may break certain functionality related to gateway discovery.. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. Please see the Systems Affected section of Vulnerability Note VU#749342 and the Vendor Information section of NISCC Vulnerability Advisory 006489/H323 for the latest information regarding the response of the vendor community to this issue. 3Com No statement is currently available from the vendor regarding this vulnerability. Alcatel No statement is currently available from the vendor regarding this vulnerability. Apple Computer Inc. Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain the issue described in this note. AT&T No statement is currently available from the vendor regarding this vulnerability. Avaya Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/ vuls/2004/006489/h323.htm Borderware No statement is currently available from the vendor regarding this vulnerability. Check Point No statement is currently available from the vendor regarding this vulnerability. BSDI No statement is currently available from the vendor regarding this vulnerability. Cisco Systems Inc. Please see http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml Clavister No statement is currently available from the vendor regarding this vulnerability. Computer Associates No statement is currently available from the vendor regarding this vulnerability. Cyberguard Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Debian No statement is currently available from the vendor regarding this vulnerability. D-Link Systems No statement is currently available from the vendor regarding this vulnerability. Conectiva No statement is currently available from the vendor regarding this vulnerability. EMC Corporation No statement is currently available from the vendor regarding this vulnerability. Engarde No statement is currently available from the vendor regarding this vulnerability. eSoft We don't have an H.323 implementation and thus aren't affected by this. Extreme Networks No statement is currently available from the vendor regarding this vulnerability. F5 Networks No statement is currently available from the vendor regarding this vulnerability. Foundry Networks Inc. No statement is currently available from the vendor regarding this vulnerability. FreeBSD No statement is currently available from the vendor regarding this vulnerability. Fujitsu Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Global Technology Associates No statement is currently available from the vendor regarding this vulnerability. Hitachi Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Hewlett-Packard Company Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Ingrian Networks No statement is currently available from the vendor regarding this vulnerability. Intel No statement is currently available from the vendor regarding this vulnerability. Intoto No statement is currently available from the vendor regarding this vulnerability. Juniper Networks No statement is currently available from the vendor regarding this vulnerability. Lachman No statement is currently available from the vendor regarding this vulnerability. Linksys No statement is currently available from the vendor regarding this vulnerability. Lotus Software No statement is currently available from the vendor regarding this vulnerability. Lucent Technologies Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Microsoft Corporation Please see http://www.microsoft.com/technet/security/bulletin/MS04-001.asp MontaVista Software No statement is currently available from the vendor regarding this vulnerability. MandrakeSoft No statement is currently available from the vendor regarding this vulnerability. Multi-Tech Systems Inc. No statement is currently available from the vendor regarding this vulnerability. NEC Corporation No statement is currently available from the vendor regarding this vulnerability. NetBSD NetBSD does not ship any H.323 implementations as part of the Operating System. There are a number of third-party implementations available in the pkgsrc system. As these products are found to be vulnerable, or updated, the packages will be updated accordingly. The audit-packages mechanism can be used to check for known- vulnerable package versions. Netfilter No statement is currently available from the vendor regarding this vulnerability. NetScreen No statement is currently available from the vendor regarding this vulnerability. Network Appliance No statement is currently available from the vendor regarding this vulnerability. Nokia No statement is currently available from the vendor regarding this vulnerability. Nortel Networks The following Nortel Networks Generally Available products and solutions are potentially affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/H323 and CERT VU#749342: Business Communications Manager (BCM) (all versions) is potentially affected; more information is available in Product Advisory Alert No. PAA 2003-0392-Global. Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway are potentially affected; more information is available in Product Advisory Alert No. PAA-2003-0465-Global. For more information please contact North America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/ Or visit the eService portal at http://www.nortelnetworks.com/cs under Advanced Search. If you are a channel partner, more information can be found under http://www. nortelnetworks.com/pic under Advanced Search. Novell No statement is currently available from the vendor regarding this vulnerability. Objective Systems Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm OpenBSD No statement is currently available from the vendor regarding this vulnerability. Openwall GNU/*/Linux No statement is currently available from the vendor regarding this vulnerability. RadVision Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Red Hat Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Oracle Corporation No statement is currently available from the vendor regarding this vulnerability. Riverstone Networks No statement is currently available from the vendor regarding this vulnerability. Secure Computing Corporation No statement is currently available from the vendor regarding this vulnerability. SecureWorks No statement is currently available from the vendor regarding this vulnerability. Sequent No statement is currently available from the vendor regarding this vulnerability. Sony Corporation No statement is currently available from the vendor regarding this vulnerability. Stonesoft No statement is currently available from the vendor regarding this vulnerability. Sun Microsystems Inc. Sun SNMP does not provide support for H.323, so we are not vulnerable. And so far we have not found any bundled products that are affected by this vulnerability. We are also actively investigating our unbundled products to see if they are affected. Updates will be provided to this statement as they become available. SuSE Inc. No statement is currently available from the vendor regarding this vulnerability. Symantec Corporation Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm Unisys No statement is currently available from the vendor regarding this vulnerability. TandBerg Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.u k/vuls/2004/006489/h323.htm Tumbleweed Communications Corp. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm TurboLinux No statement is currently available from the vendor regarding this vulnerability. uniGone Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov. uk/vuls/2004/006489/h323.htm WatchGuard No statement is currently available from the vendor regarding this vulnerability. Wirex No statement is currently available from the vendor regarding this vulnerability. Wind River Systems Inc. No statement is currently available from the vendor regarding this vulnerability. Xerox Not Vulnerable A response to this vulnerability is available from our Security Information site: http://www.xerox.com/security. ZyXEL No statement is currently available from the vendor regarding this vulnerability. -------------------------------------------------------------------------------- The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group (OUSPG) for coordinating the discovery and release of the technical details of this issue. -------------------------------------------------------------------------------- Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J. McDowell, Shawn V. Hernan and Jason A. Rafail -------------------------------------------------------------------------------- This document is available from: http://www.cert.org/advisories/CA-2004-01.html -------------------------------------------------------------------------------- CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. -------------------------------------------------------------------------------- NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. -------------------------------------------------------------------------------- Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 13, 2004: Initial release January 15, 2004: Added caveat to filtering workaround January 15, 2004: Updated Xerox statement [***** End CERT Advisory CA-2004-01 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-052: Microsoft Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation O-053: Microsoft Buffer Overrun in MDAC Function Could Allow Code Execution O-054: Red Hat Updated kdepim Packages Resolve Security Vulnerability O-055: Red Hat Updated elm Packages Fix Vulnerability in frm Command O-056: Hewlett-Packard dtterm Vulnerability O-057: Hewlett-Packard libDtSvc Vulnerability O-058: Hewlett-Packard SharedX Vulnerability O-059: Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities O-060: Debian Password Expiration Vulnerability O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities