Multiple Cisco devices H.323 message denial of service (Cisco_H323_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network IPS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:

This signature detects the presence of illegally large field lengths in H.225.0v4 messages sent to create an overflow condition on Cisco Routers.


False positives

IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network IPS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS: This signature may trigger on packets with field lengths which are valid according to ITU Recommendations but considered illegal by the implementation of the vulnerable versions of Cisco Routers.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0, IBM Security Host Protection for Servers (Windows): 1.0.914.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, RealSecure Server Sensor: XPU 22.8, Proventia Network IPS: 2.0, Proventia Network IDS: XPU 22.8, Proventia-G 1.1 and earlier: XPU 22.8, Proventia Network MFS: XPU 1.6

Systems affected

Cisco IOS: 12.0, Cisco IOS: 12.1T, Cisco IOS: 12.1E, Cisco IOS: 12.0S, Cisco IOS: 12.0T, Cisco IOS: 12.1, Cisco IOS: 12.2T, Cisco IOS: 12.2, Cisco IOS: 12.2S, Cisco IOS: 11.3T

Type

Unauthorized Access Attempt

Vulnerability description

Multiple Cisco devices are vulnerable to a denial of service, caused by a vulnerability when handling H.323 (VoIP) messages. A remote attacker could use the c07-h2250v4 tool to send out a large number of malformed packets to test the compliance of H.323 standards, which could cause the device hang or crash. The device must be rebooted or reloaded to regain normal functionality.

How to remove this vulnerability

Upgrade to one of the fixed software versions, as listed in Cisco Security Advisory dated 2004 January 13 UTC 1200. See References.

References

Cisco Systems Inc. Security Advisory, 2004 January 13 UTC 1200
Vulnerabilities in H.323 Message Processing
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

NISCC Vulnerability Advisory 006489/H323
Vulnerability Issues in Implementations of the H.323 Protocol
http://www.uniras.gov.uk/niscc/docs/re-20040113-00387.pdf?lang=en

CERT Vulnerability Note VU#749342
Multiple vulnerabilities in H.323 implementations
http://www.kb.cert.org/vuls/id/749342

Internet Security Systems Security Alert, January 13, 2004
Multiple Vendor H.323 Implementation Vulnerabilities
http://xforce.iss.net/xforce/alerts/id/160

CIAC Information Bulletin O-050
Cisco Vulnerabilities in H.323 Message Processing
http://www.ciac.org/ciac/bulletins/o-050.shtml

ISS X-Force
Multiple Cisco devices H.323 message denial of service
http://www.iss.net/security_center/static/14204.php

CVE
CVE-2004-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0054