Several critical vulnerabilities have been discovered in voice over Internet Protocol (VoIP) and videoconferencing products based on the H.323 protocol that’s used in IP telephony applications to exchange audio and video communications.
VoIP products from several vendors, including Microsoft Corp., Cisco Systems Inc. and Nortel Networks Ltd., are affected by the flaws, with risks including denial-of-service attacks and remote system compromise, according to an advisory from Atlanta-based Internet Security Systems Inc. (ISS).
The flaws were discovered by the U.K.’s National Infrastructure Security Coordination Centre using a test suite designed by the Finland-based Oulu University Secure Programming Group (OUSPG). The OUSPG test suite was designed to identity flaws in the H.323 protocol.
A similar test suite developed by the OUSPG led to the discovery in 2002 of several implementation specific flaws in the Simple Network Management Protocol. According to Neel Mehta, a security researcher at ISS’s X-Force group, the vulnerabilities are the result of coding errors in the H.323 implementations from each of the vendors.
The vulnerabilities in Cisco’s Internetworking Operating System (IOS) software caused the biggest concern because of the widespread use of the operating system on Internet routers, Mehta said.
According to a Cisco advisory, all of its products running IOS and supporting H.323 packet processing are affected. “This may include the Network Address Translation (NAT) components of Cisco devices, and security features in Cisco devices such as Content-Based Access Control,” according to an ISS advisory.
Several other Cisco products that don’t run IOS are also affected, including Cisco CallManager Versions 3.0 through 3.3, Cisco BTS 10200 Softswitch and the Cisco 7905 IP Phone H.323 Software Version 1.00, according to a statement from the company.
“The vulnerabilities discovered in the affected products can be easily and repeatedly demonstrated with the use of the (test suite),” the Cisco advisory said. It goes on to add that exploitation of the flaws could result in denial-of-service attacks, system crashes and performance degradation. Cisco in its statement announced several fixes and work-around for the vulnerabilities.
In a similar advisory, Microsoft warned users of a critical vulnerability in the H.323 filter for its Internet Security and Acceleration Server 2000. Successful exploitation of the flaw could allow attackers to take complete control of a compromised system, said the Microsoft advisory.
In advising users to patch affected software immediately, Microsoft also announced work-arounds that can block attacks. One of them is to disable H.323 filters, thereby blocking H.323 traffic.
An advisory posted by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh listed more than 60 vendors whose products could be affected by H.323 flaws.
