New kind of security hole: VOIP
- By William Jackson
- Jan 13, 2004
Security vulnerabilities affect a number of vendors' software for setting up voice and video sessions over IP networks using the international H.323 conferencing protocols.
Experts are calling the flaws reasonably serious because of the number of products involved, the widespread use of voice over IP equipment and the fact that core operating systems are involved, including the Cisco Internetwork Operating System.
When administrators set up video or audio sessions, malformed fields in H.225.0v4 call-signaling messages could make IP networks vulnerable to denial-of-service attacks or remote compromise.
The security holes are 'similar to traditional network-based vulnerabilities, only they happen to affect VOIP,' said Neel Mehta, research engineer with the X-Force laboratory of Internet Security Systems Inc. of Atlanta.
Researchers at the University of Oulu in Finland found the flaws with a test suite developed for products using the H.323 VOIP protocol. They flagged products from vendors including Cisco Systems Inc., Microsoft Corp., Nortel Networks Corp. of Brampton, Ontario, and Tandberg Inc. of Herndon, Va.
Mehta warned that IP networks could be at risk even if they do not host VOIP services. 'You may be vulnerable if you have parsing for the protocol enabled on your routers,' he said. Not all such capabilities are enabled by default.
The ISS Internet Scanner, downloadable from http://xforce.iss.net/xforce/xfdb/14177
, can check for the vulnerabilities. Many of the vendors have already released fixes, Mehta said. Others still are assessing the situation. Administrators should check with their networking vendors about vulnerable products and patches, he said.
Administrators not using VOIP should consider blocking traffic on TCP or UDP port 1720 used for call-signaling messages, and disabling call-setup protocols on servers and routers, Mehta said.
The announcement of the vulnerabilities was coordinated with the vendors and Britain's National Infrastructure Coordination Centre so that the affected vendors had an opportunity to react.
'We haven't seen an exploit yet,' Mehta said, but he added that he expects some soon.
William Jackson is a Maryland-based freelance writer.