A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocols H.323 and H.225. Voice over Internet Protocol (VoIP) and video conferencing equpiment and software can use these protocols to interoperate over a variety of computer networks. The majority of the vulnerabilities discovered are limited to denial of service impacts; however, several may allow unauthorized code execution.
The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendor implementations of the multimedia telephony protocols H.323 and H.225. H.323 and H.225 are international standard protocols, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. An example of such a system includes VoIP or video-conferencing equipment and software deployed on a network or computer. Sending an exceptional ASN.1 element to a vulnerable telephony component that cannot handle it may cause the application or system behavior to become unpredictable.
A test suite developed by NISCC has exposed vulnerabilities in a variety of H.323/H.225 implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different H.323/H.225 implementations. Information about individual vendors is available in the Systems Affected section.
The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code.
Patch or Upgrade
One potential workaround includes making sure ports 1720/tcp and 1720/udp are blocked on network perimeters.
Check Point Affected
Cisco Systems, Inc. Affected
Hewlett-Packard Company Affected
Microsoft Corporation Affected
Nortel Networks, Inc. Affected
Apple Computer, Inc. Not Affected
Clavister Not Affected
Cyberguard Not Affected
Foundry Networks Inc. Not Affected
Hitachi Not Affected
NetBSD Not Affected
NetScreen Not Affected
Objective Systems Inc. Not Affected
Red Hat, Inc. Not Affected
Sun Microsystems, Inc. Not Affected
Symantec Corporation Not Affected
Tumbleweed Communications Corp. Not Affected
Xerox Not Affected
eSoft Not Affected
uniGone Not Affected
Berkeley Software Design, Inc. Unknown
Computer Associates Unknown
D-Link Systems Unknown
Debian Linux Unknown
EMC Corporation Unknown
Extreme Networks Unknown
F5 Networks, Inc. Unknown
FreeBSD, Inc. Unknown
Global Technology Associates Unknown
IBM eServer Unknown
Ingrian Networks, Inc. Unknown
Juniper Networks, Inc. Unknown
Lotus Software Unknown
Lucent Technologies Unknown
Mandriva, Inc. Unknown
Mandriva, Inc. Unknown
Mitel Networks Unknown
MontaVista Software, Inc. Unknown
Multi-Tech Systems Inc. Unknown
NEC Corporation Unknown
Network Appliance Unknown
Novell, Inc. Unknown
Openwall GNU/*/Linux Unknown
Oracle Corporation Unknown
Riverstone Networks Unknown
SUSE Linux Unknown
Secure Computing Corporation Unknown
Sequent Computer Systems, Inc. Unknown
Sony Corporation Unknown
Wind River Systems, Inc. Unknown
The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group OUSPG for coordinating the discovery and release of the technical details of this issue.
This document was written Jeffrey S. Havrilla based on information from NISCC.