SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   Cisco IOS Vendors:   Cisco
Cisco IOS Routers Can Be Crashed With Malformed H.323 Packets
SecurityTracker Alert ID:  1008685
SecurityTracker URL:  http://securitytracker.com/id/1008685
CVE Reference:   CVE-2004-0054   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 13 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.3T, 12.0, 12.0S, 12.0T, 12.1, 12.1T, 12.1E, 12.2, 12.2S, 12.2T
Description:   Several vulnerabilities were reported in Cisco's IOS in the processing of H.323 messages. A remote user can cause the IOS-based device to crash and reboot.

Cisco reported that the University of Oulu Secure Programming Group (OUSPG) created a test suite for H.323, including the H.225.0 and Q.931 messages. The vulnerabilities in Cisco IOS were identified by the suite and are largely due to insufficient checking of H.225.0 messages, according to the report.

A remote user can cause denial of service conditions on the target system. The target system may crash and reboot.

Cisco IOS release 11.3T and later versions include H.323 support and may be affected if configured for various types of voice/multimedia application support. If the IOS device is configured 1) as an H.323 network element, 2) to perform Network Address Translation (NAT), or 3) to implement IOS Firewall (Context-Based Access Control [CBAC]), the device may be vulnerable.

Cisco reports that IOS systems that block H.323 traffic using an access list to prevent H.323 traffic from entering the router are protected.

Cisco IOS versions 11.1, 11.2, 11.3, and 12.3 are reportedly not vulnerable.

Cisco IOS versions 11.3T, 12.0, 12.0S, 12.0T, 12.1, 12.1T, 12.1E, 12.2, 12.2S, and 12.2T reportedly have vulnerabilities in the processing of H.323 Network Element traffic (e.g., H.323 Gateway, H323 Gatekeeper, and H.323 Gatekeeper with Proxy).

Cisco IOS versions 12.1, 12.1E, 12.2, 12.2T, 12.2S, and 12.3T reportedly have vulnerabilities in the processing of H.323 IOS NAT traffic.

Cisco IOS versions 12.0, 12.1, 12.1E, 12.2, 12.2T, and 12.2S reportedly have vulnerabilities in the processing of H.323 IOS Firewall (CBAC) traffic.

Other non-IOS products are affected [Editor's note: We will address those products in a separate Alert].

Impact:   A remote user can cause the target device to crash and reboot.
Solution:   The vendor has released fixed versions. For a table showing the various fixed versions, see the vendor's advisory at:

http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

Cisco notes that IOS systems that block H.323 traffic using an access list to prevent H.323 traffic from entering the router are protected.

Vendor URL:  www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Tue, 13 Jan 2004 08:45:35 -0500
Subject:  http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml


http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

 > Cisco Security Advisory: Vulnerabilities in H.323 Message Processing
 >
 > Document ID: 47843

Cisco reported that several Cisco products have vulnerabilities in the processing of H.323 
messages.  The University of Oulu H.323 protocol test suite was used to identify these flaws.

Cisco IOS release 11.3T and later versions include H.323 support and may be affected if 
configured for various types of voice/multimedia application support.  If the IOS device 
is configured 1) as an H.323 network element, 2) to perform Network Address Translation 
(NAT), or 3) to implement IOS Firewall (Context-Based Access Control [CBAC]), the device 
may be vulnerable.  To determine if your device is affected, see the detailed and specific 
instructions in the advisory.

Other non-IOS products are affected (see below).

A remote user can cause denial of service conditions on the target system.  The target 
system may crash and reboot.  On the Cisco CallManager, ISN, and CCC, Cisco reports that 
the system will crash or will hang with processor utilization of 100% (preventing new 
calls, possibly dropping existing calls, and requirign a reboot to return to normal 
operations).

Cisco reports that IOS systems that block H.323 traffic using an access list to prevent 
H.323 traffic from entering the router are protected.

Cisco notes that the University of Oulu Secure Programming Group (OUSPG) created a test 
suite for H.323, including the H.225.0 and Q.931 messages.  The vulnerabilities identified 
by the suite are largely due to insufficient checking of H.225.0 messages, according to 
the report.

Cisco IOS versions 11.1, 11.2, 11.3, and 12.3 are reportedly not vulnerable.
	
Cisco IOS versions 11.3T, 12.0, 12.0S,12.0T, 12.1, 12.1T, 12.1E, 12.2, 12.2S, and 12.2T 
reportedly have vulnerabilities in the processing of H.323 Network Element traffic (e.g., 
H.323 Gateway, H323 Gatekeeper, and H.323 Gatekeeper with Proxy).

Cisco IOS versions 12.1, 12.1E, 12.2, 12.2T, 12.2S, and 12.3T reportedly have 
vulnerabilities in the processing of H.323 IOS NAT traffic.

Cisco IOS versions 12.0, 12.1, 12.1E, 12.2, 12.2T, and 12.2S reportedly have 
vulnerabilities in the processing of H.323 IOS Firewall (CBAC) traffic.


Vulnerabilities also exist in the following Cisco products:

* Cisco CallManager - Bug IDs CSCdx82831, CSCea46545, and CSCea55518.  Only certain 
configurations are affected (see the advisory).

The First Fixed Regular Releases are 3.1(4b)spD, 3.2(3), 3.3(2)spC, and 3.3(3)


* Cisco Conference Connection - all versions are vulnerable.  Cisco does not plan to issue 
software fixes.  A workaround is provided in the advisory.


* Cisco Internet Service Node - all versions are vulnerable.  Cisco does not plan to issue 
software fixes.  A workaround is provided in the advisory.


* Cisco 7905 Series IP Phone - Bug ID CSCec77152

Version 1.0(1) of the 7905 H.323 phone firmware load contains a fix. The version 1.0(1) 
image names are cp790501001h323031212a.sbin for the signed image and 
cp790501001h323031212a.zup for the unsigned image.


* Cisco ATA18x Series Analog Telephony Devices - Bug IDs CSCea46231 and CSCea48726.

Version 2.16.1 contains a fix.


* Cisco BTS 10200 Softswitch - BugID CSCea48755

Version 4.1 contains a fix.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC