Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Software

Flaws Threaten VoIP Networks? 159

jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."
This discussion has been archived. No new comments can be posted.

Flaws Threaten VoIP Networks?

Comments Filter:
  • by somethinghollow ( 530478 ) on Wednesday January 14, 2004 @10:43PM (#7981879) Homepage Journal
    Imagine that... Microsoft making a product with security flaws! Someone call the press...
    • problem is, where could you find a reporter who would care? "microsoft messed up again? ho hum. ooo look, congrssional scandal! yay!" right
    • by pvt_medic ( 715692 ) on Wednesday January 14, 2004 @10:47PM (#7981919)
      but the better part is the fact that this was the security filter is the flaw. So maybe Microsoft should give up on the whole security thing.
      • Re:Imagine That (Score:5, Insightful)

        by interiot ( 50685 ) on Wednesday January 14, 2004 @11:24PM (#7982163) Homepage
        Well, various Java VM's have had problems in the past, does that mean we should just throw them away? Similarly for user-privilege-separation in the linux kernel. The whole reason we write narrow pieces of code that focus on security is that we realize that it's impossible guarantee a piece of code is bug-free. So instead, we do the two things that helps clear out bugs the best: we make the important security-related code as small as possible, and we give it time for people to find bugs and for us to fix them. After a while, you have a simple and mature piece of code that enhances the security of everything else, allowing the code it protects to be fast-changing and complex yet. It really seems like the right way to go to me. Finding and repairing flaws over time is how you gain maturity.
        • Re:Imagine That (Score:1, Insightful)

          by Anonymous Coward
          Microsoft been around since 1975, how long do you intend maturity to set in. I think you try to hard.
        • I think that most of the comments so far are pretty cheap jabs, easily done.

          Though I partially agree with the sentiment, I disagree with your conclusions in both cause and effect.
          maturity != security.

          likewise:
          brevity != security.

          There is no magic formula that will equate to security. But there are some practices that will go a long ways and it does not take brevity or maturity to implement them. MS has shown no sign of ever implementing brevity (by any scale that has ever been made public), and matur
      • Now, doesn't that phrase strike you as something of an oxymoron?
    • Re:Imagine That (Score:5, Interesting)

      by bfree ( 113420 ) on Wednesday January 14, 2004 @10:48PM (#7981930)
      Vulnerable (updates available): Cisco and Microsoft
      Unknown: Avaya, Fujitsu, Hewlett-Packard, Lucent and Nortel
      Safe: Apple, Hitachi, NetBSD, Red Hat and Symantec
      Is that a point for Security through open source as the two open products are already in the safe pile?
    • Re:Imagine That (Score:2, Insightful)

      by cball2k ( 319068 )
      ya, linux never has a flaw, or bug, the errata pages are there just for giggles...

      stones, glass house....
  • by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Wednesday January 14, 2004 @10:43PM (#7981881) Homepage Journal
    So it seems they've already fixed the problem.

    Should we blame lazy sysadmins for not keeping their systems patched?

    Or should we blame Microsoft?
    • i know im probably going to get pounded for saying this, but you think that microsoft would test for things like this before release. i know that they must do lots of testing, but still. not everything can be fixed by a patch two or three weeks later.
    • by Creepy Crawler ( 680178 ) on Wednesday January 14, 2004 @10:50PM (#7981935)
      But when the patch is 40MB that "fixes" many things that were never broken, can you trust the patch?

      Knowing MS, they'll offload packs that will break something else, or require deps on Service Packs. How do I know that upgrading Win2K SP2 to SP4 wont break the medical reporting server?
      • Right. The bottom line is that Microsoft sucks. It really is that simple. Anyone who doesn't believe it is either naive, greedy, or stupid.
      • Well hey, that's why your IT group should have looked at TCO and bought a BSD or Linux box.
        • by Creepy Crawler ( 680178 ) on Thursday January 15, 2004 @01:20AM (#7982841)
          Here's why we dont consider Linux/Unix:

          http://www.despair.com/consulting.html

          Simply enough, it doesnt break once you set it up. Windows setups break on a regular basis, and my employers want yet more and more money.

          Consulting with the "good old boy" businesses are the hardset to get Linux in.
          • Simply enough, it doesnt break once you set it up. Windows setups break on a regular basis, and my employers want yet more and more money.

            Another reason to go with open protocols is that they don't "rust" with time.

            We have RedHat 6.2 machines serving over 50 HTTP requests per second during peak hours. And the only reason we haven't changed them (upgraded ?) is that there are no problems with the services..(we apply our own patches of course)

            Try to do that with a Microsoft product and after 2-3 year

      • Well, of course, they will further break win2k (to say nothing of 9x) -- they still need to bring it down to a completely unusable level (as the IE 6 did for win98; SP4 already did lots of damage to win2k). How else could they corral everyone into their latest DRM infested crippleware / moronware (the XP). They ain't the biggest for nothing.

    • Blame everyone, its more consistent.
    • So it seems they've already fixed the problem.
      Should we blame lazy sysadmins for not keeping their systems patched?
      Or should we blame Microsoft?
      ?

      Yes.
      Blame the lazy System admin for not applying the patch.
      Blame Microsoft for trainning WinNT System admin to not apply the patch.
      (Windows admin believe they need to run tests to be sure everything will work with the patch.
      Eather that is poor trainning or a history of defective patches. Both are in the hands of Microsoft.)
    • Should we blame lazy sysadmins for not keeping their systems patched? Or should we blame Microsoft?

      Don't blame any!
      Microsoft has kindly sent me 5 mails with the patch today. No lazy admin could miss it!

      Just check your inbox and be safe.
    • Also, if you're running on a Microsoft OS, then chances are that you're not really going to lose sleep over adding a few more vulnerabilities, are you?
  • by caston ( 711568 ) on Wednesday January 14, 2004 @10:43PM (#7981882)
    If that's impossible than this isn't slashdot.
  • by WillRobinson ( 159226 ) on Wednesday January 14, 2004 @10:45PM (#7981894) Journal
    I saw that embeded XP beat out linux for Radio Shacks POS.. Wait tell the hackers get into that system..

    Wonder why we are fed-xing all these remote control cars to russia?? Must be popular there..
    • Now we know why they're called "POS"es.

      ***RIMSHOT***

    • Re:Thats nothing (Score:3, Interesting)

      by strider3700 ( 109874 )
      I work at a POS company. Our customers split about 50/50 terminal vs PC but on the PC they basically just get a terminal shell. The we refuse to support the PC stations so it doesn't affect us much, but we do see a lot of people switching back to terminals unless they do other work on the PC. On the back end server we use a piece of shit OS called theos, it's being replaced with Linux in a massive rewrite. Noone in their right mind would run something as important as a POS system on windows, it's
      • Are they still around? I interviewed there many years ago, only knew a little prior to the interview, and was astounded that they were going to write all their next stuff from scratch ... GUI, TCP/IP ... got out of there as fast as I could, figured they wouldn't be in business much longer if they had to do everything the hard way. A real bad attitude they had, snooty and snobby, like everyone else in the world was a loser and only they were doing the right thing. This was probably 1990 or so.
        • One thing that I've learned working with theos is it takes a very long time for a company to die. They are doing a little better recently, 5 months ago if you called support you got either the president or the senior programmer. At that time our best guess was they had 4 people working for them. Now they problably have 6-8. Makes you feel really confident.

          They managed to implement TCP/IP but for whatever reason we can't get more then 350 kb/s out of them on our 100 MB networks. The GUI was final
          • I poked around their website, not much to see. I guess it makes sense that some customers would be locked in and not have any choices; if it works and they have no expansion plans, no big harm in keeping it. But I am sooo glad I didn't take that job. I have worked at companies that were on both sides of similar lockin situations, and it gives me shudders to think of doing that again, from either side.
  • by silconous ( 636675 ) on Wednesday January 14, 2004 @10:47PM (#7981914) Journal
    But Cisco is just as vulnerable and wider spread as IOS 11.3 and greater is flawed
  • Give them a break (Score:5, Insightful)

    by odeee ( 741339 ) on Wednesday January 14, 2004 @10:47PM (#7981920)
    The same flaws affect many products - not just Microsoft. And the flaws are H.323 flaws - not necessarily ones introduced by Microsoft.

    In Cisco products - they are also vulnerable [cisco.com] - and particularly when used as firewalls or edge devices.

    But then again it's more fun to blame MS isn't it ;-)

  • Great quote (Score:5, Interesting)

    by fiendo ( 217830 ) on Wednesday January 14, 2004 @10:48PM (#7981925)
    "It is kind of the same situation that we have seen--a certain level of human error is going to be present and that is true even for security software," said Stephen Toulouse, security program manager for Microsoft.

    Wow that ought to really bolster a customer's confidence: NOt only are you saying this type of mistake is common in your experience, your excuse is "Hey we're only human"! Uh isn't that why you're supposed to have quality assurance?

  • *manly voice* "Hey baby, do you like it hard?" *sexy voice* "Yeah, like that" *my voice* "How about this: have real sex"
  • wow (Score:5, Insightful)

    by ThePretender ( 180143 ) on Wednesday January 14, 2004 @10:51PM (#7981945) Homepage
    Several other companies also produce products that may be affected, but as of midday Tuesday only Cisco and Microsoft had issued advisories and patches.
    Wow. While other companies are investigating, the MS patch machine has already spit one out. Give 'em a little credit. Nah, this was just lucky hehe
    • Re:wow (Score:2, Interesting)

      makes you wonder. they issuse a patch so quickly that you must wonder, do they really work that fast? or was the problem so simple that it was easy to fix? not that getting a patch out quickly is bad, mind you, its just that you hope quality dosnt suffer. all we need is a patch for the bugs in the last three patches.
  • Blah. (Score:2, Funny)

    by i_am_syco ( 694486 )
    Since the whole no-way-Microsoft-would-ever-have-a-security-hole joke has been done to death, I'll do a different one. ... Wait, nothing could be funnier than the irony of someone saying no-security-holes-in-Microsoft-products.
  • I guess... (Score:2, Funny)

    by Anonymous Coward
    However, on Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions, the vulnerability could allow an attacker to take control of the system.
    Well, I guess that rules out the slashdot crowd...I mean, who in their right mind would want to take over a Microsoft computer?

    Oh, the horror!
  • by tyler@mango.net.nz ( 129548 ) on Wednesday January 14, 2004 @10:55PM (#7981969)
    Since Microsoft released their "Depend on certified security" firewall, it has had 8 Security Bulletins http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/current.asp?productid=11 0&servicepackid=0&chkcritical=on&chkimportant=on&c hkmoderate=on&chklow=on&seldaterange=0&txtdatestar t=&txtdateend=&submit1=go) (and far more holes, due to Microsoft's 'monthly cluster together all the bugs we found this month and call it one hole deal.') I have installed about 20 of these fine things, and the amount of bugs and hotfixes we have found and needed to get it amazing. Microsoft Proxy Server only had ONE security hole. In fact, Proxy Server v1.0 was a single DLL which slid into IIS4! Proxy Server 2.0 SP1 could fit on a floppy. The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.
    • by Anonymous Coward
      We place our ISA boxes behind Checkpoint FW1 in their own DMZ. Enlightened or cowardly?
    • by Anonymous Coward
      The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.

      You haven't looked very hard. My company uses squid [squid-cache.org], and it uses NTLM authentication against a windows 2000 domain. Users are authenticated automagically using the integrated IE authentication, and there's only one password store - the active directo
    • that on the same page they talk about this flaw, they have the link for "How to Check If You Have ISA Server [microsoft.com]"

      Is the audience of this page really the people we want running and securing corporate networks?
  • by Anonymous Coward on Wednesday January 14, 2004 @10:59PM (#7982001)
    What about Open H.323.
    Anyone know whether that project is going to be
    suffering the same vunerability ?
    • Any vendor that implements the H.323 standard is likely suspect. If the ASN.1 parser is built into the stack then it's probably vulnerable. Since OpenH323 is open source of course we could just look at the underlying code for ourselves :-)
  • by Anonymous Coward
    Will is be script-kiddies or certain phone companies getting nervous about competitors going VoIP?
  • by phaetonic ( 621542 ) on Wednesday January 14, 2004 @11:00PM (#7982011)
    *walks and stops in one place* Can you hack me now? ... Good. *walks and stops in one place* Can you hack me now? ... Good.
  • meh... (Score:5, Interesting)

    by netwiz ( 33291 ) on Wednesday January 14, 2004 @11:02PM (#7982024) Homepage
    just a buffer overflow. I'm not really surprised; sooner or later this was going to happen. I'm just surprised that it popped up in Cisco's case.

    Altho, as I think about it, I get the feeling that Cisco got a bunch of network multimedia handling code from MS. I remember back in '98 or '99, they announced a software partnership w/ MS, causing much hand-wringing on /. to the effect that we might see NT-based routers. IOS is too heavily leveraged in Cisco's products, but the actual processes and services that run on it could come from anybody.

    The fact that this looks to a few vendors (MS and Cisco being the biggies), and knowing how MS looks to diversify only makes me wonder how much of MS's wonderful code has managed to worm it's way into the other devices I use...

    Hmm... Maybe this had something to do w/ all the dreadful STP and bridging issues I had on the Catalyst 8540 platform...
    • Re:meh... (Score:5, Informative)

      by afidel ( 530433 ) on Wednesday January 14, 2004 @11:20PM (#7982135)
      Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(
      • Actually all of the effected Cisco products are in fact services that run on Windows.

        Uh, sorry, but the ATA 18x series equipment are hardware boxes that are in no way Windows Services.

        Vonage uses the ATA 186 for their service, although it's not vulnerable as in Vonages case it's SIP.

        More here [cisco.com]
      • Re:meh... (Score:2, Interesting)

        by zbaron ( 649094 )
        We were an early adopter of Cisco CallManager and IP handsets (our director was taken to lots of lunches by Cisco reps), we used uOne as the voicemail because it was before Unity was available. Within 12 months, it was being pulled out, partly due to the fact that Cisco q.sig was different from NEC q.sig and the PABX and the "PABX" could not talk to each other, partly due to the platform it was deployed on, especially when we were told Exchange had to be part of the mix. All feedback to Cisco was based ar
      • Re:meh... (Score:2, Informative)

        by doogles ( 103478 )
        Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(

        Well, it's obvious you've looked at the Cisco IP Telephony product
        • I believe the core reason for Cisco migrating to Linux-based appliances is support; when customers see a WINDOWS 2000 splash screen, they think of it as a Windows box. They tinker. I would wager I get at least one support issue a week because customers "play".

          It's not that hard to change the spash screen on Windows. The issue is more likely to be that Windows is a "Personal Computer" operating system. Where such tinkering is often not only possible but encouraged...
      • Actually all of the effected Cisco products are in fact services that run on Windows.

        The 7905 and ATA18X are hardware devices that have no Windows OS.

        All the Cisco IOS routers affected that runs as H.323 gateways, H.323 proxies, NAT and/or CBAC that are affected have no MS product in them whatsoever.

        Furthermore, the CCM issue has nothing to do with the MS ISA server vulnerability as CCM doesn't even ship with or allow you to run ISA server. It is further not affected by the vulnerability with CCM 3.1-
      • Actually this also involves devices running IOS as well. From Cisco advisory [cisco.com]:
        All Cisco products that run Cisco IOS software and support H.323 packet processing are affected
      • Actually, no, some of the affected services run on IOS as part of the Plus images for the 7000, 6500, 8500, and 12000 series routers. Most of the Bug ID references in the Cisco advisory detail issues where the H.323 handler goes nuts and consumes all the CPU on the router.

        As you can guess, this does not help router performance :)
  • by Anonymous Coward on Wednesday January 14, 2004 @11:07PM (#7982062)
    It's not (juts) MS here that is having a problem. Bet on having a whole buncha security reports trickling in over the next few years with VoIP.

    1. It's an immature technology with immature implementations -- it's not shaken down yet to get all the flaws out (not just coding, but conceptual)
    2. The products and protocols (i.e. SIP (Silly Improvised Protocol)) are very ambitious and attempt to provide for making voice calls, IM, centrex features, user interaction with end point interfaces, presence, and emergency services, and cook your breakfast, too. Combined with #1 above, security flaws and problems are going to abound.
    3. Due to the ambitious, broad, and sprawling nature of the protocols and products, interoperability is going to be strained and painful, especially until a few dominant players shake out -- again expect problems due to interoperability side effects.
    4. As VoIP products and service spread, along with a plethora of devices, it is quite possible that a killer app or a brand new application shows up -- that manages to stretch the implements in unforeseen ways. (i.e. cookies with HTTP). Once consumer fads and marketing start driving the product development tooooo fast, expect more flaws until things mature.


    Taken all together, VoIP should be deployed very carefully in places where network security is important. You might even run into a case where even if your computer network is completely separate from the Internet, but you use VoIP over the internal LAN via a IP PBX, someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN. Stranger things have happened.
    • someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN.

      Yes! Wardialing is back!

    • I know this is something of a long shot, but given the amount of work shipped overseas these days, could that process or product contribute to problems in "newer" applications such as VoIP?

      If you make the assumption that most core network systems we use now were largely coded before shipping work overseas was so widespread but newer protocol implementations like VoIP (yes, I know its more of a "system" than a specific protocol), are those protocols/systems going to be vulnerable to all the usual drawbacks
  • by seigniory ( 89942 ) <bigfriggin@[ ]com ['me.' in gap]> on Wednesday January 14, 2004 @11:15PM (#7982111)
    Percentage-wise, I'd bet a meeelion dollars that the folks here on /. are much more familiar with VoIP, TCP/IP, Cisco, MS, etc. than they are with whatever the heck the kids are using these days for enterprise analog voice networks.

    Is it any suprise that everyone on here, pulling from their "wide" experience on both types of networks, thinks that things are oh-so-much worse with VoIP than they were/are with analog?

    Look: vulnerabilities exist everywhere. If you had more people on this board that do analog telephony as a hobby/job than do PCs/*nix/etc. the articles would all be about Lucent/AT&T's switch vulnerabilities and how we should all switch to the "new bulletproof VoIP" stuff I keep hearing about.

    I'll also bet *2* meeeeeelion dollars that if MS wasn't mentioned in the article, that nowhere near as many people would be jumping on this (although that's a big fat DUH).
    • I'm sorry, but I have to question this one. How many enterprises do you know using _analog_ telephony? I'm not aware of any OS vulnerabilities in Lucent/AT&T PBXs, are you? Another point is the differentiation between the PCs/*nix world and telephony. Lucent uses a Unix derivative on its PBXs, Avaya uses Unix/Linux. Hmmm, starting to sound like the PC world...

      About my sig... It worked!
    • Too true. Mod parent up.

      Having worked for many years with telco sector companies, I know too well how most traditional PBXs and equipment have virtually no security: countless cases of hard-coded passwords, clear text access protocols, plain telnet remote administration, not to mention the enormous security holes of the more common variety whenever a computer is integrated into the system.
      Now many of these manufacturers are moving into VoIP by hybridizing their proprietary 'protocols' with RTP. What can yo
  • by Frater 219 ( 1455 ) on Wednesday January 14, 2004 @11:25PM (#7982169) Journal
    Slashdot editors, technical journalists, and others writing serious articles on the subject would be well-advised to drop terms such as "VoIP security flaw" or "products that use VoIP". Voice-over-IP is a general application category, and gives very little help in discerning whether an issue affects a particular site or product.

    Suppose that a new bug were described as a "file sharing security flaw". Now, does that affect Samba? FTP? NFS? Kazaa? File server bots on IRC? One expects good technical reporting to mention the affected services -- or better yet, actual products -- rather than simply describing a general application category.

    Specifically, in the VoIP application category, there are two major signaling protocols in use: H.323 and SIP. The last round of "VoIP security flaws" affected SIP software. The current discoveries affect H.323. Describing both as "VoIP flaws" and suggesting that the application domain itself is "threatened" is really quite silly. It is as if someone suggested that a certain bug in IIS and another in Freenet together suggested that "file transfer" on the Internet were threatened.

    (For those who don't know much about VoIP: H.323 is the older of the two protocols, and is closer to the "telecoms" way of doing things. It was, IIRC, originally connected to ISDN. SIP is newer, and closer to the "Internet" way of doing things -- if you look at packet captures of it, they look vaguely reminiscent of HTTP, only they're UDP.)

    • ... they look vaguely reminiscent of HTTP, only they're UDP.)

      Not just vaguely reminiscent. SIP message formats (request/status line followed by headers) are pretty much like HTTP headers. The response codes like 200 (OK), 404 (Not Found) too are from HTTP. SIP implements authentication using the HTTP digest authentication scheme. Most of the early SIP implementations were on UDP. TCP is however the mandatory transport to be supported by SIP end-points and servers. SIP also works over TLS.


    • You're 100% correct. My much more informative article with 4 times the links was rejected, no doubt because the title was "H.323 vulnerability affects Cisco, MS, and more (articles,security) (rejected)" and H.323 just isn't "catchy" enough to be an article subject.
  • Wierd Quote? (Score:1, Offtopic)

    I know I'm going to regret asking this, but what does "sillema sillema nika su" mean? It was a fortune on slashdot.

    Google shows very few hits for "sillema".
  • Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw.

    Didn't we mean:

    'Specifically, a filter used in the server that secures VoIP communications is vulnerable due to the flaw.' ...?

  • Something written by Microsoft that was supposed to protect against attacks was found vulnerable. This won't be the last time it happens. Cisco, on the other hand, has no excuse given their record.
    • You obviously didn't RTFA or look any deeper than "Oooh Microsoft is mentioned. They suck so they're the real bad guys." There are inherent flaws in the standard H.323 implentation. That's why vendors employing this standard are all affected. Nortel, Cisco, Microsoft, et. al. There was another post on this topic that mentioned ASN.1 being the specific piece that's vulnerable. And this is supposedly part of the Linux 2.6 kernel. God forbid!!

  • by Jonboy X ( 319895 ) <jonathan,oexner&alum,wpi,edu> on Wednesday January 14, 2004 @11:31PM (#7982203) Journal
    Cool! Now if you leave voice mail over 2 minutes long, instead of an annoying beep, you get root access!

    Love those buffer exploits...
  • by liamk ( 411747 ) <liamk@lFORTRANia ... m minus language> on Thursday January 15, 2004 @12:58AM (#7982702) Homepage
    I've received several calls and emails from customers today asking about the relevancy of the Cisco Security Alert. By and large, I only deal with enterprise/corporate-type customers (not large VoIP service providers), and I install a ton of Cisco VoIP products, so this comment really only applies to that segment of the marketplace.



    I don't think that this is going to be as large of a problem as Cisco's earlier [cisco.com] issues [cisco.com]. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.



    Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).



    The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.



    What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).



    For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.



    Just my $.02.

  • Cisco has the same problem as Microsoft: The infrastructure that is supposed to protect vulnerable systems is itself vulnerable. Routers running IOS sofware which have some kind of H.323 support are affected, and this includes the IOS firewalling code (for CBAC, content-based access control).

    This time, the PIX code base is unaffected, but Cisco claims that they incorporate legacy IOS code into the PIX software: "Provides comprehensive OSPF dynamic routing services on Cisco PIX Security Appliances using te
  • Yeah this is what happens when you outsource I.T. work & they implement Microsoft or 3rd party software end to end solutions for VoIP. Use a damn router with real encryption like we did years ago. It's amazing how stupid businesses got in I.T. in the last 3 years since Clinton sent our jobs overseas.
  • by kris ( 824 ) <kris-slashdot@koehntopp.de> on Thursday January 15, 2004 @05:26AM (#7983772) Homepage
    The current H.323 flaw is based on bugs on the ASN.1 parser used in these products. The big bugs in almost all SNMP implementations a year ago or so also was based in ASN.1 parsing failures. Many openssl bugs are based in ASN.1 parsing failures.

    The linux kernel 2.6 just got ASN.1 parsing INSIDE THE KERNEL in order to implement AUTH_KERB as part of the NFS/Kerberos client. Expect ASN.1 parsing based bugs inside the Linux kernel real soon now.
  • Acid Test (Score:3, Insightful)

    by tacocat ( 527354 ) <tallison1 AT twmi DOT rr DOT com> on Thursday January 15, 2004 @06:03AM (#7983893)

    The acid test will be how long it will take for Vonage [vonage.com] to respond to this Advisory. They ship affected Cisco routers.

    They can run a telephone communications business with a mere fraction of the people that AT&T does, but can they effectively managed their system when something goes wrong?

    • I believe the Cisco routers used by Vonage utilize SIP and not H.323.

      According to Cisco:

      "Cisco ATA 18x series products are only vulnerable when configured for H.323. They are not vulnerable when configured for SIP."

      http://www.cisco.com/warp/public/707/cisco-sa-20 04 0113-h323.shtml
  • Well what I find interesting is how many people here throw "stones" at microsoft systems! Is Linux bug free ?? hasn't ssh been designed to provide secure communications and openssh has had flaws ?
    So, can I say that ssh suX big time just because of that ? Guess not, at least not me...
    I work with both microsoft and linux servers, I like them both for different reasons!

    The example of OpenSSH is one out of many. And Microsoft has many bugs too, I'm not saying the contrary. But I think many people here, sho
    • No doubt. These VoIP flaws involve flawed implementations of the H.323 standard. They also involve multiple vendors --- including Internet voice/data cornerstones like Cisco and Nortel. So obviously it's not like Microsoft is all alone on this one. This time at least :-0

      Cisco equipment can be totally locked up requiring rebooting, for example, due to IOS flaws supporting VoIP. And it affects practically every IOS version that's out there. That is pretty serious stuff in my book.

      Sometimes it's better to

    • The problem is that the bugs that show up are hidden in the code. So what you see with microsoft is the effect not the flaw. Just try to do a debug on an MS proprietary pipe! The output is deliberately obscured. The trick is to do a binary backtrace, or crack, then you can figure out the exact nature of the bug. The gnu debugger on the other hand will even suggest a fix if you find a memory error! Its too bad most MS server people can't write squat when it comes to code, and can't fix squat without a moused
  • Taking all factors into account. This vulnerability affects many vendors due to standard H.323 implementation which involves ASN.1 parsing. As copied from Packetizer.Com.

    H.323 Security Flaw Real, Impact Minimal

    (January 13, 2004) Apex, NC - An article published today on CNET and resulting from a security advisory posted by NISCC reported a security vulnerability with H.323. The flaw is related to H.323 and its use of ASN.1 Packed Encoding Rules (PER) for encoding and decoding messages, improper handling

Over the shoulder supervision is more a need of the manager than the programming task.

Working...