Slashdot Mirror
Flaws Threaten VoIP Networks?
jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."
Imagine that... Microsoft making a product with security flaws! Someone call the press...
So it seems they've already fixed the problem.
Should we blame lazy sysadmins for not keeping their systems patched?
Or should we blame Microsoft?
I have been pwned because my
If that's impossible than this isn't slashdot.
Beings aspergers AND pulling chicks... I enjoy the challenge!
I saw that embeded XP beat out linux for Radio Shacks POS.. Wait tell the hackers get into that system..
Wonder why we are fed-xing all these remote control cars to russia?? Must be popular there..
Check the source code,
i'm sure it'll mention something about microsoft and the FBI.
I'm not out of order! You're out of order! The whole freaking system's out of order!
But Cisco is just as vulnerable and wider spread as IOS 11.3 and greater is flawed
In Cisco products - they are also vulnerable - and particularly when used as firewalls or edge devices.
But then again it's more fun to blame MS isn't it ;-)
Wow that ought to really bolster a customer's confidence: NOt only are you saying this type of mistake is common in your experience, your excuse is "Hey we're only human"! Uh isn't that why you're supposed to have quality assurance?
I went to the city because I wished to live without deliberation.
*manly voice* "Hey baby, do you like it hard?" *sexy voice* "Yeah, like that" *my voice* "How about this: have real sex"
Jason Faulkner
Old Os Administrator
jason@oldos.org
oldos.
Several other companies also produce products that may be affected, but as of midday Tuesday only Cisco and Microsoft had issued advisories and patches.
Wow. While other companies are investigating, the MS patch machine has already spit one out. Give 'em a little credit. Nah, this was just lucky hehe
Since the whole no-way-Microsoft-would-ever-have-a-security-hole joke has been done to death, I'll do a different one. ...
Wait, nothing could be funnier than the irony of someone saying no-security-holes-in-Microsoft-products.
Oh, the horror!
Since Microsoft released their "Depend on certified security" firewall, it has had 8 Security Bulletins http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/current.asp?productid=11 0&servicepackid=0&chkcritical=on&chkimportant=on&c hkmoderate=on&chklow=on&seldaterange=0&txtdatestar t=&txtdateend=&submit1=go)
(and far more holes, due to Microsoft's 'monthly cluster together all the bugs we found this month and call it one hole deal.')
I have installed about 20 of these fine things, and the amount of bugs and hotfixes we have found and needed to get it amazing.
Microsoft Proxy Server only had ONE security hole. In fact, Proxy Server v1.0 was a single DLL which slid into IIS4!
Proxy Server 2.0 SP1 could fit on a floppy.
The problem is everyone uses ISA, because no other firewall I have found can provide the following.
1. Basic Reporting on Users (jo used x MB and went to these web sites.)
2. Tie in to Active Directory, so we don't have to setup and maintain another directory.
What about Open H.323.
Anyone know whether that project is going to be
suffering the same vunerability ?
Will is be script-kiddies or certain phone companies getting nervous about competitors going VoIP?
*walks and stops in one place* Can you hack me now? ... Good.
*walks and stops in one place*
Can you hack me now? ... Good.
just a buffer overflow. I'm not really surprised; sooner or later this was going to happen. I'm just surprised that it popped up in Cisco's case.
/. to the effect that we might see NT-based routers. IOS is too heavily leveraged in Cisco's products, but the actual processes and services that run on it could come from anybody.
Altho, as I think about it, I get the feeling that Cisco got a bunch of network multimedia handling code from MS. I remember back in '98 or '99, they announced a software partnership w/ MS, causing much hand-wringing on
The fact that this looks to a few vendors (MS and Cisco being the biggies), and knowing how MS looks to diversify only makes me wonder how much of MS's wonderful code has managed to worm it's way into the other devices I use...
Hmm... Maybe this had something to do w/ all the dreadful STP and bridging issues I had on the Catalyst 8540 platform...
Taken all together, VoIP should be deployed very carefully in places where network security is important. You might even run into a case where even if your computer network is completely separate from the Internet, but you use VoIP over the internal LAN via a IP PBX, someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN. Stranger things have happened.
Friggen finklestein trolls. Do you have anything /useful/ to say?
Percentage-wise, I'd bet a meeelion dollars that the folks here on /. are much more familiar with VoIP, TCP/IP, Cisco, MS, etc. than they are with whatever the heck the kids are using these days for enterprise analog voice networks.
Is it any suprise that everyone on here, pulling from their "wide" experience on both types of networks, thinks that things are oh-so-much worse with VoIP than they were/are with analog?
Look: vulnerabilities exist everywhere. If you had more people on this board that do analog telephony as a hobby/job than do PCs/*nix/etc. the articles would all be about Lucent/AT&T's switch vulnerabilities and how we should all switch to the "new bulletproof VoIP" stuff I keep hearing about.
I'll also bet *2* meeeeeelion dollars that if MS wasn't mentioned in the article, that nowhere near as many people would be jumping on this (although that's a big fat DUH).
Suppose that a new bug were described as a "file sharing security flaw". Now, does that affect Samba? FTP? NFS? Kazaa? File server bots on IRC? One expects good technical reporting to mention the affected services -- or better yet, actual products -- rather than simply describing a general application category.
Specifically, in the VoIP application category, there are two major signaling protocols in use: H.323 and SIP. The last round of "VoIP security flaws" affected SIP software. The current discoveries affect H.323. Describing both as "VoIP flaws" and suggesting that the application domain itself is "threatened" is really quite silly. It is as if someone suggested that a certain bug in IIS and another in Freenet together suggested that "file transfer" on the Internet were threatened.
(For those who don't know much about VoIP: H.323 is the older of the two protocols, and is closer to the "telecoms" way of doing things. It was, IIRC, originally connected to ISDN. SIP is newer, and closer to the "Internet" way of doing things -- if you look at packet captures of it, they look vaguely reminiscent of HTTP, only they're UDP.)
I know I'm going to regret asking this, but what does "sillema sillema nika su" mean? It was a fortune on slashdot.
Google shows very few hits for "sillema".
Didn't we mean:
'Specifically, a filter used in the server that secures VoIP communications is vulnerable due to the flaw.' ...?
Something written by Microsoft that was supposed to protect against attacks was found vulnerable. This won't be the last time it happens. Cisco, on the other hand, has no excuse given their record.
Flaw in ISA could lead to funny voice mails to your boss
Cool! Now if you leave voice mail over 2 minutes long, instead of an annoying beep, you get root access!
Love those buffer exploits...
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
...a little bird told me..
But Windows rests on a 20 year old operating system.
Muh? Granted the parent poster is a troll, but there's no need to lie in response.
Windows NT 3.1 - a 32-bit operating system built from the ground-up was released in July 1993 (there was no NT version 1.0 or 2.0, they skipped ahead to keep up with the Windows 3.1 version number). As anyone who tried to run DOS games on Windows NT / 2000 / XP can tell you - it is definitely *NOT* based on DOS.
Taking release dates, Windows NT is two years younger than Linux - which was released in August 1991
If you're going to lie, at least do it convincingly. (The original poster was refering to Windows NT 4, not Windows 95 and 98, which admittedly sit on top of DOS).
Make that 2 and 1/2 sinec OS X is semi-open source with the kernel such being open.
Jisho - A Japanese English German Russian French Dictionary for the rest of us.
Windows NT is based on VMS, which is much older than 1993
http://tinyurl.com/ywyt9
I don't think that this is going to be as large of a problem as Cisco's earlier issues. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.
Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).
The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.
What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).
For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.
Just my $.02.
that on the same page they talk about this flaw, they have the link for "How to Check If You Have ISA Server"
Is the audience of this page really the people we want running and securing corporate networks?
Are they still around? I interviewed there many years ago, only knew a little prior to the interview, and was astounded that they were going to write all their next stuff from scratch ... GUI, TCP/IP ... got out of there as fast as I could, figured they wouldn't be in business much longer if they had to do everything the hard way. A real bad attitude they had, snooty and snobby, like everyone else in the world was a loser and only they were doing the right thing. This was probably 1990 or so.
Infuriate left and right
Cisco has the same problem as Microsoft: The infrastructure that is supposed to protect vulnerable systems is itself vulnerable. Routers running IOS sofware which have some kind of H.323 support are affected, and this includes the IOS firewalling code (for CBAC, content-based access control).
This time, the PIX code base is unaffected, but Cisco claims that they incorporate legacy IOS code into the PIX software: "Provides comprehensive OSPF dynamic routing services on Cisco PIX Security Appliances using technology based on world-renowned Cisco IOS Software". This is, of course, the same mistake Microsoft made with ISA; they also reused broken code from their client and server products in it.
heh.. seth finkelsteins comments are the only ones worth reading anymore
Natural Selection: self-destruction of the poor and lazy
Yeah this is what happens when you outsource I.T. work & they implement Microsoft or 3rd party software end to end solutions for VoIP. Use a damn router with real encryption like we did years ago. It's amazing how stupid businesses got in I.T. in the last 3 years since Clinton sent our jobs overseas.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
I'm pretty sure NT was actually a fork from OS/2 after MS fell out with IBM. NTFS is based on HPFS. Either way, it has the square root of fsck all to do with DOS.
When I am king, you will be first against the wall.
That's smooth enough that you may get some gullible enough to follow it!
The Unix Honor Virus would work if you could make it convincing.
Well, of course, they will further break win2k (to say nothing of 9x) -- they still need to bring it down to a completely unusable level (as the IE 6 did for win98; SP4 already did lots of damage to win2k). How else could they corral everyone into their latest DRM infested crippleware / moronware (the XP). They ain't the biggest for nothing.
Now, doesn't that phrase strike you as something of an oxymoron?
Free Software: Like love, it grows best when given away.
The current H.323 flaw is based on bugs on the ASN.1 parser used in these products. The big bugs in almost all SNMP implementations a year ago or so also was based in ASN.1 parsing failures. Many openssl bugs are based in ASN.1 parsing failures.
The linux kernel 2.6 just got ASN.1 parsing INSIDE THE KERNEL in order to implement AUTH_KERB as part of the NFS/Kerberos client. Expect ASN.1 parsing based bugs inside the Linux kernel real soon now.
The acid test will be how long it will take for Vonage to respond to this Advisory. They ship affected Cisco routers.
They can run a telephone communications business with a mere fraction of the people that AT&T does, but can they effectively managed their system when something goes wrong?
Well what I find interesting is how many people here throw "stones" at microsoft systems! Is Linux bug free ?? hasn't ssh been designed to provide secure communications and openssh has had flaws ?
So, can I say that ssh suX big time just because of that ? Guess not, at least not me...
I work with both microsoft and linux servers, I like them both for different reasons!
The example of OpenSSH is one out of many. And Microsoft has many bugs too, I'm not saying the contrary. But I think many people here, should start seeing what they write because ISA Server is a good product, and the only thing that happened here was a security flaw, nothing that isn't discovered every single day... That and maybe if you knew or worked with the product before talking, wouldn't be such a bad idea...
Simply enough, it doesnt break once you set it up. Windows setups break on a regular basis, and my employers want yet more and more money.
Another reason to go with open protocols is that they don't "rust" with time.
We have RedHat 6.2 machines serving over 50 HTTP requests per second during peak hours. And the only reason we haven't changed them (upgraded ?) is that there are no problems with the services..(we apply our own patches of course)
Try to do that with a Microsoft product and after 2-3 years MS will have changed something in some protocol that forces you to "Upgrade".
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I still don't understand all the excitement over VOIP...
It seems like any day (week,month,year) now, we'll have perfected the technology to send the sounds of people's voices over electric wires!
Truly amazing!
I used to work for a VoIP company, and in my experience security is about the last thing vendors are concerned with. Heck, you used to be able to crash those trendy Cisco VoIP phones (you know, the ones you see all over CTU on 24) by sending them a malformed packet. I believe even now you can blink the voicemail LEDs on Cisco phones without authenticating, which certainly made for some good office shenanigans. Half the devices we played with would only support plaintext authentication with the proxy. Didn't we learn anything in the last 20 years?
H.323 Security Flaw Real, Impact Minimal
(January 13, 2004) Apex, NC - An article published today on CNET and resulting from a security advisory posted by NISCC reported a security vulnerability with H.323. The flaw is related to H.323 and its use of ASN.1 Packed Encoding Rules (PER) for encoding and decoding messages, improper handling of malformed H.225.0 messages, and resource leakage. The security flaw is real, but the impact is minimal.
The primary security vulnerability arises from systems that do not properly check for malformed H.225.0 messages or malformed ASN.1 PER messages or messages of indefinite lengths. As a message is received, it should be checked to ensure that it is properly formed, both prior to decoding and during the decoding process. Thus, the problem is not inherent in the H.323 protocol or even ASN.1, but with the PER or message processing implementations used by some H.323 systems.
Correcting this vulnerability is relatively straightforward and most vendors have already taken corrective action. It involves putting proper constraint checking in the PER decoding libraries to ensure that malformed messages messages are properly discarded and do not disrupt system operation and to check the H.225.0 messages for proper content.
The second class of vulnerabilities relates to resource leakage. This is again due partly to the malformed message not being processed correctly, resulting in memory leaks. It is also due to the fact that some H.323 systems are not proactive in closing TCP connections over which a call is never established. The latter is not unusual, in fact, for any TCP-based system. A default Apache server, for example, will leave the TCP connection established for five (5) minutes before closing the connection. H.323 and any TCP-based system should be more proactive in closing connections to eliminate wasted resources.
While H.323 is the most widely used VoIP communication protocol worldwide, the impact is mitigated by the fact that most VoIP systems are operated on private networks that are out of reach from most hackers who would attempt to exploit such vulnerabilities. What this means is that global long distance networks that presently carry billions of voice minutes each month will not likely to be impacted at all.
MS gets blasted for not following a standard, but when they do, and they are affected by a flaw in the standard, they get blasted!
/. ?
Dont you just love
Microsoft hired Dave Cutler, chief architect of VMS, and several of his coworkers from DEC to design a next-generation operating system tentatively named 'OS/2 3.0'; it would support a variety of architectures and APIs, with the OS/2 API being preferred. The first build target was the Intel i860, code-named 'N-Ten', and the project became known as 'OS/2 N-Ten' or 'OS/2 NT'. As Windows became more popular, Microsoft realized that it no longer needed IBM, and decided that NT would primarily use a new 32-bit version of the Windows API; the name changed once again, this time to 'Windows NT'.
NT until recently retained an OS/2 1.x subsystem (along with an equally weak POSIX subsystem), and NTFS took many design cues from HPFS, but it was never any more a fork of OS/2 than it was a fork of Windows 3.1. Its closest architectural relative is and always was VMS.
I know this is something of a long shot, but given the amount of work shipped overseas these days, could that process or product contribute to problems in "newer" applications such as VoIP?
/.'ers have talked about (bad communications, weak coding, bottom-dollar vendor selection, etc)?
If you make the assumption that most core network systems we use now were largely coded before shipping work overseas was so widespread but newer protocol implementations like VoIP (yes, I know its more of a "system" than a specific protocol), are those protocols/systems going to be vulnerable to all the usual drawbacks to overseas coding that
I'm not suggesting that the overseas *coders* are per se the problem, but the inherent problems associated with a design-here-code-there, maximum-profit model could plague a whole new generation of protocols and systems with all kinds of bugs.
You can make the argument that the original suites of protocols we're all familiar with (smtp, http, ftp, nis, nfs, etc) were plagued with security problems as well, but those applications were largely developed and implemented not for a hostile, worldwide internet, but for a collegial, mostly private "research" network used by a limited number of people in a relatively controlled environment.
New processes and systems (like VoIP) arguably should be developed with the idea of a hostile, worldwide network where the expectation should be that they will almost always come under attack, either accidentally (cf. Cisco 67x DSL routers and the Code Red worm), or deliberately. But they're apparently not, unless simple maturity is what these problems is all about.
I poked around their website, not much to see. I guess it makes sense that some customers would be locked in and not have any choices; if it works and they have no expansion plans, no big harm in keeping it. But I am sooo glad I didn't take that job. I have worked at companies that were on both sides of similar lockin situations, and it gives me shudders to think of doing that again, from either side.
Infuriate left and right
The problem is that the bugs that show up are hidden in the code. So what you see with microsoft is the effect not the flaw. Just try to do a debug on an MS proprietary pipe! The output is deliberately obscured. The trick is to do a binary backtrace, or crack, then you can figure out the exact nature of the bug. The gnu debugger on the other hand will even suggest a fix if you find a memory error! Its too bad most MS server people can't write squat when it comes to code, and can't fix squat without a moused out window gui and bandaide patch from MS. Learn to program, not patch.
OH THE SHAME I fell off the wagon and use sigs again!
Imagine that... the open source community making a product with security flaws (OpenSSL) which many other services depend on(kerberos, https, and many others)! Someone call the press...