Voice-over-IP vulnerabilities; impact to Microsoft's ISA Server 2000

Dangerous Voice Over IP Vulnerabilities Common

Voice over IP (VoIP) products based on H.323, from such vendors as Cisco, Microsoft, Nortel, and Tandberg, are vulnerable to a number of security attacks, warns Internet Security Systems’ (ISS) X-Force. “Testing has uncovered a number of VoIP vendors [that are] vulnerable, with risks ranging from denial of service [attacks] to improper bounds checking resulting in possible remote system compromise,” the company says in a statement. In addition, “Multiple vulnerabilities affect key network infrastructure software, including Cisco's Internetwork Operating System (IOS) that is ubiquitous to core routing hardware.”

ISS notes H.323 is often used in “VoIP applications and video conferencing applications for the exchange of voice and video communications over networked systems.” The existing test suite targets H.323-based products with “unusual or improper call signaling messages” to exploit the vulnerability.

Specially formed H.225.0v4 messages can “omit required fields,” says ISS, or specify fields of illegal lengths to exploit known vulnerabilities in the software. (H.225.0v4 is a protocol for “call signaling and session establishment.”) Troublingly, “these vulnerabilities can typically be exploited by an unauthenticated remote attacker.”

“H.323 enabled products range from endpoints (usually IP phones or video conferencing products), to H.323 gatekeepers (often found on routers), to H.323 enabled firewalls. The standard port used for H.323 call-signaling messages is TCP (and in some cases UDP) port 1720,” ISS notes.

A working exploit already exists, developed as a test suite by the University of Oulu. “The test suite in question functions by creating malformed or otherwise illegally formatted H.225.0v4 call signaling messages, and has uncovered remotely exploitable vulnerabilities in many H.323 implementations.”

ISS urges customers of any H.323 products to contact vendors and install relevant security patches immediately.

Microsoft: Critical ISA Server Vulnerability

In its monthly disclosure of software vulnerabilities, Microsoft warned its Internet Security and Acceleration Server 2000 is vulnerable to remote code execution. The company says this H.323-related vulnerability affects “Microsoft Internet Security and Acceleration Server 2000, Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000), [and] Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and Acceleration Server 2000).”

The vulnerability could allow attackers to remotely execute code. Security information provider Secunia rates the vulnerability “highly critical” and, in addition to remote code exploits, warns it could allow denial of service attacks.

“The vulnerability is caused due to various errors in the processing of H.323 traffic over TCP, which allows malicious people to overflow a buffer. This can be exploited by sending specially crafted messages to an affected system,” says Secunia, via the protocol’s default TCP port, 1720.

Secunia also notes: “The H.323 filter is enabled by default on systems running in integrated or firewall mode.”

An update is available.

Microsoft Internet Security and Acceleration Server 2000 patch:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.