Vulnerability Note VU#749342

Multiple vulnerabilities in H.323 implementations

Overview

A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocols H.323 and H.225. Voice over Internet Protocol (VoIP) and video conferencing equpiment and software can use these protocols to interoperate over a variery of computer networks. The majority of the vulnerabilities discovered are limited to denial of service impacts; however, several may allow unauthorized code execution.

I. Description

The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendor implementations of the multimedia telephony protocols H.323 and H.225. H.323 and H.225 are international standard protocols, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. An example of such a system includes VoIP or video-conferencing equipment and software deployed on a network or computer. Sending an exceptional ASN.1 element to a vulnerable telephony component that cannot handle it may cause the application or system behavior to become unpredictable.

A test suite developed by NISCC has exposed vulnerabilities in a variety of H.323/H.225 implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different H.323/H.225 implementations. Information about individual vendors is available in the Systems Affected section.

The U.K. National Infrastructure Security Co-ordination Centre is tracking this vulnerability as NISCC/006489/H.323.

II. Impact

The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code.

III. Solution

Patch or Upgrade

Apply a patch or upgrade as appropriate. Information about specific vendors is available in the Systems Affected section of this document.
One potential workaround includes making sure ports 1720/tcp and 1720/udp are blocked on network perimeters.

Systems Affected

Vendor	Status	Date Updated
3Com	Unknown	12-Jan-2004
Alcatel	Unknown	30-Jan-2004
Apple Computer, Inc.	Not Vulnerable	13-Jan-2004
AT&T	Unknown	13-Jan-2004
Avaya	Unknown	13-Jan-2004
Berkeley Software Design, Inc.	Unknown	13-Jan-2004
Borderware	Unknown	13-Jan-2004
Check Point	Vulnerable	30-Jan-2004
Cisco Systems, Inc.	Vulnerable	13-Jan-2004
Clavister	Not Vulnerable	30-Jan-2004
Computer Associates	Unknown	13-Jan-2004
Cyberguard	Not Vulnerable	13-Jan-2004
D-Link Systems	Unknown	13-Jan-2004
Debian Linux	Unknown	13-Jan-2004
EMC Corporation	Unknown	13-Jan-2004
Engarde	Unknown	13-Jan-2004
eSoft	Not Vulnerable	13-Jan-2004
Extreme Networks	Unknown	13-Jan-2004
F5 Networks, Inc.	Unknown	13-Jan-2004
Foundry Networks Inc.	Not Vulnerable	30-Jan-2004
FreeBSD, Inc.	Unknown	13-Jan-2004
Fujitsu	Unknown	30-Jan-2004
Global Technology Associates	Unknown	13-Jan-2004
Hewlett-Packard Company	Vulnerable	5-Apr-2004
Hitachi	Not Vulnerable	13-Jan-2004
IBM-zSeries	Unknown	13-Jan-2004
IBM eServer	Unknown	13-Jan-2004
Ingrian Networks, Inc.	Unknown	13-Jan-2004
Intel	Vulnerable	27-Feb-2004
Intoto	Unknown	13-Jan-2004
Juniper Networks, Inc.	Unknown	13-Jan-2004
Lachman	Unknown	13-Jan-2004
Linksys	Unknown	13-Jan-2004
Lotus Software	Unknown	13-Jan-2004
Lucent Technologies	Unknown	13-Jan-2004
Mandriva, Inc.	Unknown	13-Jan-2004
Mandriva, Inc.	Unknown	13-Jan-2004
Microsoft Corporation	Vulnerable	13-Jan-2004
Mitel Networks	Unknown	10-Feb-2004
MontaVista Software, Inc.	Unknown	13-Jan-2004
Multi-Tech Systems Inc.	Unknown	13-Jan-2004
NEC Corporation	Unknown	13-Jan-2004
NetBSD	Not Vulnerable	13-Jan-2004
Netfilter	Unknown	13-Jan-2004
NetScreen	Not Vulnerable	30-Jan-2004
Network Appliance	Unknown	13-Jan-2004
Nokia	Unknown	13-Jan-2004
Nortel Networks, Inc.	Vulnerable	13-Jan-2004
Novell, Inc.	Unknown	13-Jan-2004
Objective Systems Inc.	Not Vulnerable	13-Jan-2004
OpenBSD	Unknown	13-Jan-2004
Openwall GNU/*/Linux	Unknown	13-Jan-2004
Oracle Corporation	Unknown	13-Jan-2004
Polycom	Vulnerable	30-Nov-2006
RadVision	Vulnerable	13-Jan-2004
Red Hat, Inc.	Not Vulnerable	13-Jan-2004
Riverstone Networks	Unknown	13-Jan-2004
Secure Computing Corporation	Unknown	13-Jan-2004
SecureWorks	Unknown	13-Jan-2004
Sequent Computer Systems, Inc.	Unknown	13-Jan-2004
Sony Corporation	Unknown	30-Jan-2004
Stonesoft	Unknown	13-Jan-2004
Sun Microsystems, Inc.	Not Vulnerable	14-Jan-2004
SUSE Linux	Unknown	13-Jan-2004
Symantec Corporation	Not Vulnerable	13-Jan-2004
TandBerg	Vulnerable	13-Jan-2004
Tumbleweed Communications Corp.	Not Vulnerable	13-Jan-2004
TurboLinux	Unknown	13-Jan-2004
uniGone	Not Vulnerable	13-Jan-2004
Unisys	Unknown	13-Jan-2004
WatchGuard	Unknown	13-Jan-2004
Wind River Systems, Inc.	Unknown	13-Jan-2004
Wirex	Unknown	13-Jan-2004
Xerox	Not Vulnerable	15-Jan-2004
ZyXEL	Unknown	13-Jan-2004

References

http://www.kb.cert.org/vuls/id/927278
http://www.kb.cert.org/vuls/id/428230
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
http://www.itu.int/itudoc/itu-t/rec/h/h225-0.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html

Credit

The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group OUSPG for coordinating the discovery and release of the technical details of this issue.

This document was written Jeffrey S. Havrilla based on information from NISCC.

Other Information

Date Public	01/13/2003
Date First Published	01/13/2004 09:01:09 AM
Date Last Updated	11/30/2006
CERT Advisory	CA-2004-01
CVE Name	CAN-2003-0819
US-CERT Technical Alerts
Metric	13.67
Document Revision	40

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader