Flaws threaten VoIP networks

Microsoft and Cisco are on a long list of technology companies whose products may be affected by vulnerabilities in a messaging standard.

A technical review conducted by the British government has found several security flaws in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems.

The flaws affect software and hardware that support the real-time multimedia communications and processing standard, known as the International Telecommunications Union (ITU) H.323 standard.


What's new:
Researchers have found several security flaws in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems.

Bottom line:
Microsoft and Cisco have addressed the issue, but several companies' products are also at risk.

For more info:
Track the players

The security problems can cause a product that supports H.323 to crash. For example, in Cisco telecommunications products running its IOS operating system, the vulnerability could be used to cause the devices to freeze or reboot. However, on Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions, the vulnerability could allow an attacker to take control of the system.

Ironically, in Microsoft's case, the Internet Security and Acceleration Server is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw.

"It is kind of the same situation that we have seen--a certain level of human error is going to be present and that is true even for security software," said Stephen Toulouse, security program manager for Microsoft.

Microsoft released a patch for its Internet Security and Acceleration Server on Tuesday and published ways to disable the affected service for customers that want to take time to test the software.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Also Tuesday, Cisco Systems published an extensive advisory outlining which of its products are affected and giving instructions on how to patch them. Among the vulnerable products are CallManager version 3.0 through 3.3, Conference Connection, Internet Service Node and several VoIP switches.

Cisco would not comment on the issue except to refer people to the advisory.

Several other companies also produce products that may be affected, but as of midday Tuesday only Cisco and Microsoft had issued advisories and patches.

Avaya, Fujitsu, Hewlett-Packard, Lucent and Nortel are investigating the issue. Apple, Hitachi, NetBSD, Red Hat and Symantec have determined that their products aren't affected by the flaws.

Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The flaws were found by the United Kingdom's Internet security watchdog, . The group had been testing a variety of products used in the United Kingdom's critical communications infrastructure and discovered the problem.

The program used to test the products is an ongoing project at the University of Oulu in Finland. The university's Secure Programming Group has developed tools for finding flaws in network communications standards. Two years ago, the group's work discovered a major flaw in a basic standard used throughout the Internet and other telecommunications networks. Last year, the group discovered flaws in the Session Initiation Protocol (SIP), another technology used by VoIP networks.

The Computer Emergency Response Team (CERT) Coordination Center in the United States released an advisory Tuesday based on the information from NISCC.

While a malicious attacker could use the flaws to disrupt VoIP networks, companies using Microsoft's Small Business Server 2000 and 2003 are at particular risk. An attacker can gain a beachhead into a company's network using the flawed H.323 filter, said Microsoft's Toulouse.

"This sort of illuminates to me the value of security researchers where they can test all the situations in which our customers use the product," he said. "H.323 is a very specific protocol. I would hazard a guess that (most people) had not heard about it before today."

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Microsoft leaves Apple in the dust with tablet and laptop innovation in 2015

Will there be one Apple Ring to rule them all? That's what a patent application says. Plus, building the thinnest gadget isn't innovation anymore and Apple just got a reality check from Microsoft.

by Brian Tong