Critical Microsoft ISA patch cures ills in H.323 telco protocol

By Edward Hurley, SearchSecurity.com 13 Jan 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Many H.323 implementations flawed Cisco yesterday issued an alert warning of vulnerabilities in many of its projects due to incorrect processing of H.323-based messages. Workarounds and upgrades are available to prevent denial of service, buffer-overflow attacks and possible execution of arbitrary code. However, the flaw's discoverers at the University of Oulu Security Programming Group (OUSPG) said that many implementations of H.323 (and its components H.225 and Q.931) are also flawed, including implementations by other major vendors. H.323 is an International Telecommunications Union (ITU) standard widely used in real-time multimedia communications and conferencing over packet-based networks. Cisco uses H.323 for a variety of purposes, including voice over IP (VoIP) and multimedia applications. Insufficient checking, parsing and processing functions can fail when they encounter exceptionally long or specially crafted entries in H.323 fields. Malicious hackers can send these messages remotely, causing systems to crash or reboot. Many Cisco products use H.323, including those using Cisco IOS Software Release 11.3T and all later releases. (Even some products that don't use IOS are vulnerable, however.) These may be configured for a variety of purposes, including as an H.323 network element, for IOS Network Address Translation (NAT), or for an IOS Firewall. A Cisco representative said none of the vulnerabilities have been attacked yet. Recommended workarounds include the use of access lists to block H.323 traffic, turning off the inbound IOS firewall, and blocking the default port, 1720. However, Cisco has complete fixes available for upgrading. - Edmund X. DeJesus, contributor

Microsoft has released a patch for a critical flaw in its firewall product, Internet Security and Acceleration (ISA) Server 2000. The patch repairs a vulnerability in a popular communications standard.

The flaw is a buffer overflow in ISA Server's H.323 filter that enables multimedia communication, like real-time audio over networks. It's often used for voice over IP.

The vulnerability is rated "critical" by Microsoft because remote attackers can use the flaw in the H.323 filter to overflow a buffer in Microsoft Firewall Service, which would allow attackers to run code with the system privilege of the service. Microsoft has enabled the H.323 filter by default so that virtually anyone running ISA Server 2000 would be susceptible to attack.

Microsoft recommends a couple of workarounds for companies that can't install the patch right away. The first is disabling the H.323 filter. To do so, you:

• Open ISA management tool.
• Expand the Extensions container
• Expand the Application Filters container
• Select the H.323 Filter and then click "Disable"
• Restart the Microsoft Firewall Service Windows Components.

This workaround, however, will block H.323 traffic, so applications that rely on it, such as IP telephony and data collaboration software, won't work.

Users of vulnerable systems can also block TCP port 1720 at the gateway. The H.323 filter listens on the port, and blocking it would reduce the chances of getting attacked from the Internet. This workaround will also likely break applications that use H.323.

Microsoft also announced two other vulnerabilities: a "moderate" flaw in Exchange Server 2003 that could allow privilege escalation, and an "important" flaw that could allow attackers to run arbitrary code in Microsoft Data Access Components. MDAC ships with a variety of Microsoft products, including Windows Server 2003, Windows 2000 and XP, and SQL Server. MDAC enables database operations on Windows systems.

To some, a particular patch is notably lacking, namely one for the "0x01" URL-spoofing vulnerability in Internet Explorer. That flaw allows users to create legitimate-looking URLs that in fact link to bogus Web sites.

Thor Larholm, senior security researcher at Newport Beach, Calif.-based PivX Solutions LLC, disagrees. "Address spoofing is much less critical than code execution," he said.

Larholm is well-known for finding Internet Explorer vulnerabilities, but he considers the H.323 filter flaw in ISA more dangerous because it allows attackers to run code and because it's installed by default.

"Technically, the 0x01 flaw is not very critical. It can be used as part of social engineering, but once you get to the site you could tell it's not real," he said. Moreover, the vulnerability is fixed in Service Pack 2 for Windows XP, which is in beta now, Larholm said.

The Microsoft Data Access Components flaw is also pretty serious, Larholm said. It would probably be "critical" if local network access weren't needed to exploit it. "DSL or cable users may be vulnerable if they don't have a router or firewall," he said.

FOR MORE INFORMATION:

SearchNetworking.com news exclusive: "VoIP vulnerability could leave networks exposed"

Click here for Microsoft security bulletin MS04-001

Click here for Microsoft security bulletin MS04-002

Click here for Microsoft security bulletin MS04-003

FEEDBACK: Should Microsoft have included a patch for the "0x01" URL spoofing vulnerability?
Send your feedback to the SearchSecurity.com news team.

Tags: Securing the Internet and E-Commerce,  Infrastructure and Network Security,  Common Vulnerabilities and Prevention Tips,  Securing the Desktop,  Securing your Products/Platforms,  Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing the Internet and E-Commerce Sensitive student data cracked at U. of Georgia Microsoft patches IE spoofing problem Countdown begins for Mydoom DDoS attacks IE update clears up spoofing issue Microsoft to disable spoofing syntax in IE IE flaw could fool users in illicit downloads Mydoom variant targets security features, Microsoft Hackers scanning for ports opened by Mydoom Dangerous, familiar application vulnerabilities top list Potent Mydoom worm flooding inboxes Infrastructure and Network Security VPNs: IPsec vs. SSL Sensitive student data cracked at U. of Georgia Microsoft patches IE spoofing problem Geer slams Windows dominance, calls for government intervention IE update clears up spoofing issue Countdown begins for Mydoom DDoS attacks Microsoft to disable spoofing syntax in IE IE flaw could fool users in illicit downloads Mydoom variant targets security features, Microsoft Hackers scanning for ports opened by Mydoom Common Vulnerabilities and Prevention Tips What's your infosec IQ? IE update clears up spoofing issue Countdown begins for Mydoom DDoS attacks Microsoft to disable spoofing syntax in IE Mydoom variant targets security features, Microsoft IE flaw could fool users in illicit downloads Hackers scanning for ports opened by Mydoom Dangerous, familiar application vulnerabilities top list Potent Mydoom worm flooding inboxes Worm opens two backdoors, logs keystrokes

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary