Publications Catalog Historical Documents Authorized Users of "CERT" US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy Courses

CERT^® Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities

Original release date: January 13, 2004
Last revised: April 05, 2004
Source: CERT/CC, NISCC

A complete revision history can be found at the end of this file.

Systems Affected

Many software and hardware systems that implement the H.323 protocol
Examples include
- Voice over Internet Protocol (VoIP) devices and software
- Video conferencing equipment and software
- Session Initiation Protocol (SIP) devices and software
- Media Gateway Control Protocol (MGCP) devices and software
- Other networking equipment that may process H.323 traffic (e.g., routers and firewalls)

Overview

A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocol H.323. Voice over Internet Protocol (VoIP) and video conferencing equipment and software can use these protocols to communicate over a variety of computer networks.

I. Description

The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has reported multiple vulnerabilities in different vendor implementations of the multimedia telephony protocol H.323. H.323 is an international standard protocol, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. Examples of such systems include VoIP, video-conferencing equipment, and network devices that manage H.323 traffic. A test suite developed by NISCC and the University of Oulu Security Programming Group (OUSPG) has exposed multiple vulnerabilities in a variety of implementations of the H.323 protocol (specifically its connection setup sub-protocol H.225.0).

Information about individual vendor H.323 implementations is available in the Vendor Information section below, and in the Vendor Information section of NISCC Vulnerability Advisory 006489/H323.

The U.K. National Infrastructure Security Co-ordination Centre is tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is tracking this issue as VU#749342. This reference number corresponds to CVE candidate CAN-2003-0819, as referenced in Microsoft Security Bulletin MS04-001.

II. Impact

Exploitation of these vulnerabilities may result in the execution of arbitrary code or cause a denial of service, which in some cases may require a system reboot.

III. Solution

Apply a patch or upgrade

Appendix A and the Systems Affected section of Vulnerability Note VU#749342 contain information provided by vendors for this advisory. However, as vendors report new information to the CERT/CC, we will only update VU#749342. If a particular vendor is not listed, we have not received their comments. Please contact your vendor directly.

Filter network traffic

Sites are encouraged to apply network packet filters to block access to the H.323 services at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be filtered include

1720/TCP
1720/UDP

Note these are default ports only and may vary on a site-by-site basis.

If access cannot be filtered at the network perimeter, the CERT/CC recommends limiting access to only those external hosts that require H.323 for normal operation. As a general rule, filtering all types of network traffic that are not required for normal operation is recommended.

It is important to note that some firewalls process H.323 packets and may themselves be vulnerable to attack. As noted in some vendor recommendations like Cisco Security Advisory 20040113-h323 and Microsoft Security Bulletin MS04-001, certain sites may actually want to disable application layer inspection of H.323 network packets.

Protecting your infrastructure against these vulnerabilities may require careful coordination among application, computer, network, and telephony administrators. You may have to make tradeoffs between security and functionality until vulnerable products can be updated. For example, blocking port 1720/udp on segments of a network may break certain functionality related to gateway discovery..

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. Please see the Systems Affected section of Vulnerability Note VU#749342 and the Vendor Information section of NISCC Vulnerability Advisory 006489/H323 for the latest information regarding the response of the vendor community to this issue.

3Com

Alcatel

Apple Computer Inc.

AT&T

Avaya

Borderware

Check Point

BSDI

Cisco Systems Inc.

Clavister

Computer Associates

Cyberguard

Debian

D-Link Systems

Conectiva

EMC Corporation

Engarde

eSoft

Extreme Networks

F5 Networks

Foundry Networks Inc.

FreeBSD

Fujitsu

Global Technology Associates

Hitachi

Hewlett-Packard Company

Ingrian Networks

Intel

Intoto

Juniper Networks

Lachman

Linksys

Lotus Software

Lucent Technologies

Microsoft Corporation

MontaVista Software

MandrakeSoft

Multi-Tech Systems Inc.

NEC Corporation

NetBSD

Netfilter

NetScreen

Network Appliance

Nokia

Nortel Networks

Novell

Objective Systems Inc.

OpenBSD

Openwall GNU/*/Linux

RadVision

Red Hat Inc.

Oracle Corporation

Riverstone Networks

Secure Computing Corporation

SecureWorks

Sequent

Sony Corporation

Stonesoft

Sun Microsystems Inc.

SuSE Inc.

Symantec Corporation

Unisys

TandBerg

Tumbleweed Communications Corp.

TurboLinux

uniGone

WatchGuard

Wirex

Wind River Systems Inc.

Xerox

ZyXEL

The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group (OUSPG) for coordinating the discovery and release of the technical details of this issue.

Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J. McDowell, Shawn V. Hernan and Jason A. Rafail

This document is available from: http://www.cert.org/advisories/CA-2004-01.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Revision History

Jan 13, 2004:  Initial release
Jan 15, 2004:  Added caveat to filtering workaround
Jan 15, 2004:  Updated Xerox statement
Apr 05, 2004:  Updated HP statement

CERT® Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities