x
Optical/IP

VOIP Hole Is Well Hidden

A security flaw found in H.323, the most widely deployed VOIP communications protocol worldwide, can cause VOIP networks to shut down, but it’s only a theoretical problem for now, experts say.

VOIP carriers on Wednesday said they were scrambling to patch the vulnerability, which was first brought to light yesterday by the National Infrastructure Security Coordination Center (NISCC), a U.K. government agency that was continuing work started by the University of Oulu Security Programming Group (OUSPG) in Finland. It was also covered in an advisory issued by CERT.

Paul Jones, chairman of the International Telecommunication Union (ITU) group for H.323 and a systems developer in the VOIP architecture team at Cisco says the problem is real, but its impact is minimal.

“There are specific implementation vulnerabilities in H.323-related protocols that are critical to the U.K. national infrastructure," says Victoria Eld, spokeswoman for the NISCC. "We can't give any more details on this notice for security reasons, but we are working with vendors to fix it.”

The security hole affects VOIP products from a host of vendors including Cisco Systems Inc. (Nasdaq: CSCO), Avaya Inc. (NYSE: AV), Nortel Networks Corp. (NYSE/Toronto: NT), and Radvision Ltd. (Nasdaq: RVSN), as well as Microsoft Corp.'s (Nasdaq: MSFT) Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions.

Each of these companies has released security advisories describing which of their products are affected, and in most instances they've provided fixes. (For the Cisco notice, click here.)

The ITU's Jones says the hole is not a problem with the H.323 standard itself but a lower-level protocol that H.323 depends on called ASN.1 -- Packet Encoding Rules (PER) for encoding and decoding messages and handling improper messages on a VOIP network. The flaw will arise in networks that do not properly check for bad messages. Jones says a bad message, for example, might indicate to the decoding library that the next part of the message is longer than the actual length of the entire message. “In some implementations of ASN.1 the checks are not in place to spot these problems, so the library would try to allocate more memory than it should, potentially leading to buffer overruns and system crashes… It’s a problem of bad coding."

In addition, he says H.323 uses TCP to establish a connection with another H.323 device. In bad implementations, the connection is left open for long periods of time, exhausting memory resources. If all ports on a device are left open, that device could feasibly be taken out of commission, he says.

Despite the seriousness of the problem, Jones says the impact is mitigated by the fact that most VOIP systems are operated on private networks that are out of reach of most hackers who would attempt to exploit such vulnerabilities.

Martin Euchner, H.323 security expert at Siemens AG (NYSE: SI; Frankfurt: SIE), adds that ASN.1 is used in many other protocols. “X500 and X509 also rely on it,” he says. “Right now, this has come up because of systematic testing by a British lab. It’s a particular H.323 application run over a particular implementation of ANS.1 -- it may not occur in real situations, just theoretical combinations. All the same," he warns, "it must be guarded against.”

ITXC Corp. (Nasdaq: ITXC) the largest domestic VOIP carrier in the U.S., has a network that runs almost exclusively on Cisco H.323. The company has not run into this problem. “We are going in very quickly to check our equipment is patched and protected,” says John Landau, executive VP of product management at ITXC.

VOIP carriers iBasis Inc. (OTC: IBAS), China Unicom Ltd., and FastWeb SpA also run exclusively on H.323, but Jones says he has not heard any reports that these reported flaws have surfaced in their production networks.

— Jo Maitland, Senior Editor, Boardwatch

Page 1 / 2   >   >>
technonerd 12/5/2012 | 2:41:15 AM
re: VOIP Hole Is Well Hidden The security hole in VoIP has been "hidden" because VoIP is still a tiny niche. If VoIP were to become truly mainstream, we'd find a lot more holes because let's face it, this is Geekware 1.0, a work in progress. The current hype is classic VC/Wall Street/Silicon Valley sludge.
mr zippy 12/5/2012 | 2:41:13 AM
re: VOIP Hole Is Well Hidden Wow, technonerd, you really are anti-VoIP, aren't you ? You're entitled to your opinion of course. The way you are taking every opportunity to rubbish it makes it look like you have a personal issue with it. Did VoIP defraud your mother out of a multi-million dollar inheritence or something ?!

This issue is not really a VoIP issue, its just that H323 is using ASN.1, and there seems to be a number of old ASN.1 implementations that weren't programmed using secure coding principles. A lot of SNMP implementations, which also use ASN.1, suffered from the exact same type of problem about 2 years ago. Juniper routers didn't suffer from the problem as their ASN.1 implementation was relatively new, and therefore programmed defensively, where as Cisco routers did.

The OpenSSL library also suffered from ASN.1 problems a while back.

This is just another example of where security was ignored or neglected during initial implementation, as security wasn't a primary consideration at the time.

I expect we will see a number of other vulnerabilities such as this one in the future, with any number of protocol implementations.
mr zippy 12/5/2012 | 2:41:13 AM
re: VOIP Hole Is Well Hidden Abstract Syntax Notation 1

http://asn1.elibel.tm.fr/
aswath 12/5/2012 | 2:41:13 AM
re: VOIP Hole Is Well Hidden It isn't ANS.1. it is ASN.1 (remember asinine ans not answer :-) )
alchemy 12/5/2012 | 2:41:12 AM
re: VOIP Hole Is Well Hidden technonerd writes:
The security hole in VoIP has been "hidden" because VoIP is still a tiny niche.

Any new implementation of a protocol will have security holes. You find them, fix them, and life goes on. The box I deal with every day has had lots of security test suites run against it. Every new one, we find and fix a few problems. Nothing's perfect no matter how well you implement it and test it. 'good enough' is an iterative process.

I once crashed the ring on a #4ESS from a single PRI ISDN D channel on CPE gear. PRI had been shipping for years on the #4 when that happened. By your description, I guess PRI was only for geeks.
technonerd 12/5/2012 | 2:41:06 AM
re: VOIP Hole Is Well Hidden Any new implementation of a protocol will have security holes. You find them, fix them, and life goes on.
It's all a matter of degree, isn't it? Microsoft takes this attitude about its software, and you can see what has happened as a result. Their push into cable boxes has been stopped short; they're nowhere in wireline phones; they have only a press-release presence in cellphones.

Neither of us has any numbers to back it up. It's really a contest of sentiment in this thread. I still maintain that VoIP is an immature product nowhere near ready for the mass-market, but apparently you see the mass market as a lot more adventuresome and tolerant of phones that don't work.


I once crashed the ring on a #4ESS from a single PRI ISDN D channel on CPE gear. PRI had been shipping for years on the #4 when that happened. By your description, I guess PRI was only for geeks.
Apples and oranges.
BobbyMax 12/5/2012 | 2:41:06 AM
re: VOIP Hole Is Well Hidden Little problems with respect H.323 can be fixed. But more serious problems relate to delays and jitter. If the voice packet has to traverse more than two or three IP networks, the problem of delays compounds seriously. Right now one can make a phone call using 3 cents a minute (in the US, Canada, Latin America).Nowbody would use VOIP unless it is free.
technonerd 12/5/2012 | 2:41:04 AM
re: VOIP Hole Is Well Hidden Wow, technonerd, you really are anti-VoIP, aren't you ? You're entitled to your opinion of course. The way you are taking every opportunity to rubbish it makes it look like you have a personal issue with it. Did VoIP defraud your mother out of a multi-million dollar inheritence or something ?!
I'm not "anti-VoIP," but I am "anti-fraud."
dwdm2 12/5/2012 | 2:41:02 AM
re: VOIP Hole Is Well Hidden It is not everyday that I respond to BobbyMax's post. But if this mentality is what causes all of BobbyMax's eruptions, then all those who despise those eruptions, have a point.

So VoIP has an inherent problem, not worth my money. BUT, if I get it for FREE, I may mess with it, because my time is less worthy than VoIP, right?

On this board we have seen intelligent discussions where BOTH problem and solutions are discussed. So what is the solution of the 'inherent problem' Mr. all knowing?

Regards
el_gat0 12/5/2012 | 2:40:58 AM
re: VOIP Hole Is Well Hidden Actually, you can call for 3 cents a minute precisely b/c carriers are using VoP. People use it all the time and don't even know it.
Page 1 / 2   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE