Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaws Threaten VoIP Networks?

Posted by simoniker on from the flaws-flaws-everywhere dept.

jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."

41 of 159 comments (clear)

  1. Imagine That by somethinghollow · · Score: 4, Funny

    Imagine that... Microsoft making a product with security flaws! Someone call the press...

    1. Re:Imagine That by pvt_medic · · Score: 3

      but the better part is the fact that this was the security filter is the flaw. So maybe Microsoft should give up on the whole security thing.

      --
      30% Troll, 50% Underrated, 10% Interesting
      Score:5, Troll
    2. Re:Imagine That by bfree · · Score: 5, Interesting

      Vulnerable (updates available): Cisco and Microsoft
      Unknown: Avaya, Fujitsu, Hewlett-Packard, Lucent and Nortel
      Safe: Apple, Hitachi, NetBSD, Red Hat and Symantec
      Is that a point for Security through open source as the two open products are already in the safe pile?

      --

      Never underestimate the dark side of the Source

    3. Re:Imagine That by Alien+Being · · Score: 3, Interesting

      "...where could you find a reporter who would care?"

      Nation Public Radio (WBUR 90.9MHz to you fellow Bostonians) for one. Believe it or not, the great unwashed masses are starting to become aware of the problem with Microsoft.

    4. Re:Imagine That by DAldredge · · Score: 3, Funny

      Since Red Hat is safe and I to take it that SCO is safe also?

    5. Re:Imagine That by interiot · · Score: 4, Insightful

      Well, various Java VM's have had problems in the past, does that mean we should just throw them away? Similarly for user-privilege-separation in the linux kernel. The whole reason we write narrow pieces of code that focus on security is that we realize that it's impossible guarantee a piece of code is bug-free. So instead, we do the two things that helps clear out bugs the best: we make the important security-related code as small as possible, and we give it time for people to find bugs and for us to fix them. After a while, you have a simple and mature piece of code that enhances the security of everything else, allowing the code it protects to be fast-changing and complex yet. It really seems like the right way to go to me. Finding and repairing flaws over time is how you gain maturity.

    6. Re:Imagine That by cball2k · · Score: 2, Insightful

      ya, linux never has a flaw, or bug, the errata pages are there just for giggles...

      stones, glass house....

      --
      karma, hah...
  2. You linked to Microsoft's patch by ObviousGuy · · Score: 5, Insightful

    So it seems they've already fixed the problem.

    Should we blame lazy sysadmins for not keeping their systems patched?

    Or should we blame Microsoft?

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:You linked to Microsoft's patch by marine_recon · · Score: 2, Insightful

      i know im probably going to get pounded for saying this, but you think that microsoft would test for things like this before release. i know that they must do lots of testing, but still. not everything can be fixed by a patch two or three weeks later.

      --
      Jack the sound barrier. Bring the noise.
    2. Re:You linked to Microsoft's patch by Creepy+Crawler · · Score: 4, Insightful

      But when the patch is 40MB that "fixes" many things that were never broken, can you trust the patch?

      Knowing MS, they'll offload packs that will break something else, or require deps on Service Packs. How do I know that upgrading Win2K SP2 to SP4 wont break the medical reporting server?

      --
    3. Re:You linked to Microsoft's patch by Creepy+Crawler · · Score: 3, Funny

      Here's why we dont consider Linux/Unix:

      http://www.despair.com/consulting.html

      Simply enough, it doesnt break once you set it up. Windows setups break on a regular basis, and my employers want yet more and more money.

      Consulting with the "good old boy" businesses are the hardset to get Linux in.

      --
  3. A flaw in a Microsoft product? by caston · · Score: 4, Funny

    If that's impossible than this isn't slashdot.

    --
    Beings aspergers AND pulling chicks... I enjoy the challenge!
  4. Thats nothing by WillRobinson · · Score: 5, Funny

    I saw that embeded XP beat out linux for Radio Shacks POS.. Wait tell the hackers get into that system..

    Wonder why we are fed-xing all these remote control cars to russia?? Must be popular there..

    1. Re:Thats nothing by strider3700 · · Score: 2, Interesting

      I work at a POS company. Our customers split about 50/50 terminal vs PC but on the PC they basically just get a terminal shell. The we refuse to support the PC stations so it doesn't affect us much, but we do see a lot of people switching back to terminals unless they do other work on the PC. On the back end server we use a piece of shit OS called theos, it's being replaced with Linux in a massive rewrite. Noone in their right mind would run something as important as a POS system on windows, it's just too vulnerable.

  5. Not to defend Microsoft by silconous · · Score: 3, Interesting

    But Cisco is just as vulnerable and wider spread as IOS 11.3 and greater is flawed

  6. Give them a break by odeee · · Score: 5, Insightful
    The same flaws affect many products - not just Microsoft. And the flaws are H.323 flaws - not necessarily ones introduced by Microsoft.

    In Cisco products - they are also vulnerable - and particularly when used as firewalls or edge devices.

    But then again it's more fun to blame MS isn't it ;-)

  7. Great quote by fiendo · · Score: 5, Interesting
    "It is kind of the same situation that we have seen--a certain level of human error is going to be present and that is true even for security software," said Stephen Toulouse, security program manager for Microsoft.

    Wow that ought to really bolster a customer's confidence: NOt only are you saying this type of mistake is common in your experience, your excuse is "Hey we're only human"! Uh isn't that why you're supposed to have quality assurance?

    --
    I went to the city because I wished to live without deliberation.
  8. I can't wait to hack this... by jasonfncsu · · Score: 2, Funny

    *manly voice* "Hey baby, do you like it hard?" *sexy voice* "Yeah, like that" *my voice* "How about this: have real sex"

    --
    Jason Faulkner
    Old Os Administrator
    jason@oldos.org
    oldos.
  9. wow by ThePretender · · Score: 4, Insightful

    Several other companies also produce products that may be affected, but as of midday Tuesday only Cisco and Microsoft had issued advisories and patches.
    Wow. While other companies are investigating, the MS patch machine has already spit one out. Give 'em a little credit. Nah, this was just lucky hehe

    1. Re:wow by marine_recon · · Score: 2, Interesting

      makes you wonder. they issuse a patch so quickly that you must wonder, do they really work that fast? or was the problem so simple that it was easy to fix? not that getting a patch out quickly is bad, mind you, its just that you hope quality dosnt suffer. all we need is a patch for the bugs in the last three patches.

      --
      Jack the sound barrier. Bring the noise.
  10. Blah. by i_am_syco · · Score: 2, Funny

    Since the whole no-way-Microsoft-would-ever-have-a-security-hole joke has been done to death, I'll do a different one. ... Wait, nothing could be funnier than the irony of someone saying no-security-holes-in-Microsoft-products.

  11. I guess... by Anonymous Coward · · Score: 2, Funny
    However, on Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions, the vulnerability could allow an attacker to take control of the system.
    Well, I guess that rules out the slashdot crowd...I mean, who in their right mind would want to take over a Microsoft computer?

    Oh, the horror!
  12. ISA's Track Record is very bad by tyler@mango.net.nz · · Score: 4, Informative

    Since Microsoft released their "Depend on certified security" firewall, it has had 8 Security Bulletins http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/current.asp?productid=11 0&servicepackid=0&chkcritical=on&chkimportant=on&c hkmoderate=on&chklow=on&seldaterange=0&txtdatestar t=&txtdateend=&submit1=go) (and far more holes, due to Microsoft's 'monthly cluster together all the bugs we found this month and call it one hole deal.') I have installed about 20 of these fine things, and the amount of bugs and hotfixes we have found and needed to get it amazing. Microsoft Proxy Server only had ONE security hole. In fact, Proxy Server v1.0 was a single DLL which slid into IIS4! Proxy Server 2.0 SP1 could fit on a floppy. The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.

    1. Re:ISA's Track Record is very bad by Anonymous Coward · · Score: 2, Informative

      The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.

      You haven't looked very hard. My company uses squid, and it uses NTLM authentication against a windows 2000 domain. Users are authenticated automagically using the integrated IE authentication, and there's only one password store - the active directory on win2k server.

      Squid logs everything. There are dozens of reporting tools (some free, some not) which can read squid log files and generate pretty graphs for management.

      Squid has all sorts of detailed ACLs you can use to allow, disallow or redirect web browsing.

      Squid is fast and free (aside from my time). How much did you pay for ISA?

      Now, using ISA to manage non-web internet connections, that's something else entirely.

  13. What about Open H.323 by Anonymous Coward · · Score: 3, Interesting

    What about Open H.323.
    Anyone know whether that project is going to be
    suffering the same vunerability ?

  14. New commercial slogan? by phaetonic · · Score: 5, Funny

    *walks and stops in one place* Can you hack me now? ... Good. *walks and stops in one place* Can you hack me now? ... Good.

  15. meh... by netwiz · · Score: 4, Interesting

    just a buffer overflow. I'm not really surprised; sooner or later this was going to happen. I'm just surprised that it popped up in Cisco's case.

    Altho, as I think about it, I get the feeling that Cisco got a bunch of network multimedia handling code from MS. I remember back in '98 or '99, they announced a software partnership w/ MS, causing much hand-wringing on /. to the effect that we might see NT-based routers. IOS is too heavily leveraged in Cisco's products, but the actual processes and services that run on it could come from anybody.

    The fact that this looks to a few vendors (MS and Cisco being the biggies), and knowing how MS looks to diversify only makes me wonder how much of MS's wonderful code has managed to worm it's way into the other devices I use...

    Hmm... Maybe this had something to do w/ all the dreadful STP and bridging issues I had on the Catalyst 8540 platform...

    1. Re:meh... by afidel · · Score: 4, Informative

      Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:meh... by zbaron · · Score: 2, Interesting

      We were an early adopter of Cisco CallManager and IP handsets (our director was taken to lots of lunches by Cisco reps), we used uOne as the voicemail because it was before Unity was available. Within 12 months, it was being pulled out, partly due to the fact that Cisco q.sig was different from NEC q.sig and the PABX and the "PABX" could not talk to each other, partly due to the platform it was deployed on, especially when we were told Exchange had to be part of the mix. All feedback to Cisco was based around how they wanted us to replace our 99.999 carrier grade PABX systems, with ... well Windows servers. We told them straight that we'd look at a CallManager solution again when it was running on IOS, Solaris or Linux. Many of the Cisco products that run on Windows are actually now appearing as applicances that run either Linux or a flavour of BSD.

    3. Re:meh... by doogles · · Score: 2, Informative
      Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(

      Well, it's obvious you've looked at the Cisco IP Telephony products, but don't use them day to day:
      • Cisco CallManager has nothing to do with Microsoft Exchange, directly
      • It has recently been stated by Cisco to their PArtners that CallManager 5.0 will be offered on a Linux-based "appliance" (this is quite a ways off, as CCM 4.0 will not be out of controlled release until the start of 2HCY2004)
      • Rumour has it that CallManager/Windows will eventually disappear in favor of a Linux-based "appliance"
      • CallManager relies on two other pieces: an LDAP server (CCM ships with DC-Directory from Data Connection and MS SQL 2000. Obviously, there are numerous Linux-based options for each (DC claims to have a Linux port of DC-Directory, and there are numerous database options for Linux) but at this time I am unsure which direction they are heading on this
      • When you reference MS Exchange, you are thinking of the Unified Messaging & Voicemail product Cisco Unity, which has traditionally used MS Exchange as it's message store for voice messages
      • There was no management decision to drive this product towards MS Exchange; it was developed by Active Voice from the ground up to be a Unified Messaging platform, and they chose the most popular platform to integrate with
      • Cisco now offers a Cisco Unity for Lotus Domino which I have two customers running. Unity has to have heavy knowledge of it's Partner Message Store so it's not trivial to add support for new backends. I've heard they are planning a Linux-based appliance for this as well, but don't know one way or the other.
      • Cisco IPCC Express product has already been ported to Linux, as Cisco Unity Express actually is not Unity at all, but a very customized IPCC Express script running on an embedded Linux platform (no, it is NOT IOS; you're thinking of CallManager Express, formerly known at ITS, which I have referenced on Slashdot previously
      • This leaves us with a few other products in the AVVID portfolio still on Windows. Coming to mind is Cisco Emergency Responder, Cisco Personal Assistant, IPCC Enterprise, and Cisco Conference Connection (OEM'd; and Cisco just bought a company which offers a similar product with 20x the features) /UL

        So, yes, Cisco is very married to Windows right now. However, this is actively changing. And additionally, there was no Cisco conspiracy to develop these products for Windows: CallManager (which came from Selsius) was already running on Windows NT 4.0, and Unity (which as I said came from
  16. It's not MS, it's VoIP -- expect more by Anonymous Coward · · Score: 5, Insightful
    It's not (juts) MS here that is having a problem. Bet on having a whole buncha security reports trickling in over the next few years with VoIP.

    1. It's an immature technology with immature implementations -- it's not shaken down yet to get all the flaws out (not just coding, but conceptual)
    2. The products and protocols (i.e. SIP (Silly Improvised Protocol)) are very ambitious and attempt to provide for making voice calls, IM, centrex features, user interaction with end point interfaces, presence, and emergency services, and cook your breakfast, too. Combined with #1 above, security flaws and problems are going to abound.
    3. Due to the ambitious, broad, and sprawling nature of the protocols and products, interoperability is going to be strained and painful, especially until a few dominant players shake out -- again expect problems due to interoperability side effects.
    4. As VoIP products and service spread, along with a plethora of devices, it is quite possible that a killer app or a brand new application shows up -- that manages to stretch the implements in unforeseen ways. (i.e. cookies with HTTP). Once consumer fads and marketing start driving the product development tooooo fast, expect more flaws until things mature.


    Taken all together, VoIP should be deployed very carefully in places where network security is important. You might even run into a case where even if your computer network is completely separate from the Internet, but you use VoIP over the internal LAN via a IP PBX, someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN. Stranger things have happened.
    1. Re:It's not MS, it's VoIP -- expect more by PacoTaco · · Score: 2, Funny
      someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN.

      Yes! Wardialing is back!

  17. Grass is always greener... by seigniory · · Score: 4, Insightful

    Percentage-wise, I'd bet a meeelion dollars that the folks here on /. are much more familiar with VoIP, TCP/IP, Cisco, MS, etc. than they are with whatever the heck the kids are using these days for enterprise analog voice networks.

    Is it any suprise that everyone on here, pulling from their "wide" experience on both types of networks, thinks that things are oh-so-much worse with VoIP than they were/are with analog?

    Look: vulnerabilities exist everywhere. If you had more people on this board that do analog telephony as a hobby/job than do PCs/*nix/etc. the articles would all be about Lucent/AT&T's switch vulnerabilities and how we should all switch to the "new bulletproof VoIP" stuff I keep hearing about.

    I'll also bet *2* meeeeeelion dollars that if MS wasn't mentioned in the article, that nowhere near as many people would be jumping on this (although that's a big fat DUH).

  18. "VoIP" is not a protocol by Frater+219 · · Score: 5, Informative
    Slashdot editors, technical journalists, and others writing serious articles on the subject would be well-advised to drop terms such as "VoIP security flaw" or "products that use VoIP". Voice-over-IP is a general application category, and gives very little help in discerning whether an issue affects a particular site or product.

    Suppose that a new bug were described as a "file sharing security flaw". Now, does that affect Samba? FTP? NFS? Kazaa? File server bots on IRC? One expects good technical reporting to mention the affected services -- or better yet, actual products -- rather than simply describing a general application category.

    Specifically, in the VoIP application category, there are two major signaling protocols in use: H.323 and SIP. The last round of "VoIP security flaws" affected SIP software. The current discoveries affect H.323. Describing both as "VoIP flaws" and suggesting that the application domain itself is "threatened" is really quite silly. It is as if someone suggested that a certain bug in IIS and another in Freenet together suggested that "file transfer" on the Internet were threatened.

    (For those who don't know much about VoIP: H.323 is the older of the two protocols, and is closer to the "telecoms" way of doing things. It was, IIRC, originally connected to ISDN. SIP is newer, and closer to the "Internet" way of doing things -- if you look at packet captures of it, they look vaguely reminiscent of HTTP, only they're UDP.)

    1. Re:"VoIP" is not a protocol by binux · · Score: 3, Informative
      ... they look vaguely reminiscent of HTTP, only they're UDP.)

      Not just vaguely reminiscent. SIP message formats (request/status line followed by headers) are pretty much like HTTP headers. The response codes like 200 (OK), 404 (Not Found) too are from HTTP. SIP implements authentication using the HTTP digest authentication scheme. Most of the early SIP implementations were on UDP. TCP is however the mandatory transport to be supported by SIP end-points and servers. SIP also works over TLS.

  19. Great opportunity by Jonboy+X · · Score: 4, Funny

    Cool! Now if you leave voice mail over 2 minutes long, instead of an annoying beep, you get root access!

    Love those buffer exploits...

    --

    "In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
  20. Re:You should read this before committing to Linux by Anonymous Coward · · Score: 3, Informative

    But Windows rests on a 20 year old operating system.

    Muh? Granted the parent poster is a troll, but there's no need to lie in response.

    Windows NT 3.1 - a 32-bit operating system built from the ground-up was released in July 1993 (there was no NT version 1.0 or 2.0, they skipped ahead to keep up with the Windows 3.1 version number). As anyone who tried to run DOS games on Windows NT / 2000 / XP can tell you - it is definitely *NOT* based on DOS.

    Taking release dates, Windows NT is two years younger than Linux - which was released in August 1991

    If you're going to lie, at least do it convincingly. (The original poster was refering to Windows NT 4, not Windows 95 and 98, which admittedly sit on top of DOS).

  21. Pragmatically, though..... by liamk · · Score: 5, Informative
    I've received several calls and emails from customers today asking about the relevancy of the Cisco Security Alert. By and large, I only deal with enterprise/corporate-type customers (not large VoIP service providers), and I install a ton of Cisco VoIP products, so this comment really only applies to that segment of the marketplace.



    I don't think that this is going to be as large of a problem as Cisco's earlier issues. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.



    Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).



    The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.



    What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).



    For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.



    Just my $.02.

  22. My worry is. . . by WinterpegCanuck · · Score: 2

    that on the same page they talk about this flaw, they have the link for "How to Check If You Have ISA Server"

    Is the audience of this page really the people we want running and securing corporate networks?

  23. Expect such flaws in 2.6 soon by kris · · Score: 3, Interesting

    The current H.323 flaw is based on bugs on the ASN.1 parser used in these products. The big bugs in almost all SNMP implementations a year ago or so also was based in ASN.1 parsing failures. Many openssl bugs are based in ASN.1 parsing failures.

    The linux kernel 2.6 just got ASN.1 parsing INSIDE THE KERNEL in order to implement AUTH_KERB as part of the NFS/Kerberos client. Expect ASN.1 parsing based bugs inside the Linux kernel real soon now.

  24. Acid Test by tacocat · · Score: 2, Insightful

    The acid test will be how long it will take for Vonage to respond to this Advisory. They ship affected Cisco routers.

    They can run a telephone communications business with a mere fraction of the people that AT&T does, but can they effectively managed their system when something goes wrong?