VOIP, Video-Conferencing Apps Face Security Risk

Certain vendor implementations of the H.323 protocol could open multimedia applications to denial-of-service attacks and buffer overflows, U.K. security researchers reported on Tuesday.

Multimedia applications such as voice over IP telephony and video conferencing could be vulnerable to security breaches because of flaws in the way a major telephony standard is being used.

Some vendors implementations of the H.323 protocol, an International Telecommunications Union standard for communication among telephony and multimedia devices, are vulnerable to denial of service attacks and, to a lesser extent, the execution of code and system takeovers through buffer overflows, according to an advisory issued Tuesday by the United Kingdoms National Infrastructure Security Co-Ordination Centre (NISCC).

Microsoft Corp. and Cisco Systems Inc. were the only vendors to issue patches and advisories as of Tuesday afternoon, even though products from several other vendors also could be at risk.

As part of a series of security bulletins it issued on Tuesday, Microsoft released one rated "critical" for its Internet Security and Acceleration Server 2000 software, pointing to a flaw in the H.323 filter that could allow an attacker, through a buffer overflow, to take over control of the system.

/zimages/2/28571.gifMicrosoft issued a batch of security bulletins on Tuesday. To read more about the vulnerabilities, click here.

Cisco, of San Jose, Calif., in a security advisory said that all products that run Ciscos IOS network system software and support H.323 packet processing are affected by a vulnerability that can cause denial of service attacks. Cisco supports H.323 in its IOS software with version 11.3T and later.

Other vendors that identified potential vulnerabilities were Nortel Networks Inc., Radvision Corp. and Tandberg. Avaya Inc., Lucent Technologies, Fujistu Ltd. and Hewlett-Packard Co. told the NISCC that they are investigating whether their products are vulnerable to the security flaw.

Among those reporting that their products are not vulnerable were Apple Computer Inc., CyberGuard Corp., eSoft Inc., Hitachi Ltd., the NetBSD Project, Objective Systems Inc., Red Hat Inc., Symantec Corp. and uniGone.

In the United States, the Computer Emergency Response Team Coordination Center also issued an advisory about the vulnerabilities in H.323 implementations. It noted that one possible workaround, along with vendor patches and upgrades, is to block ports 1720/tcp and 1720/udp on network parameters.

According to CERT, more than 50 vendors had not yet reported whether their products were vulnerable.