[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF22519997.5DF39C23-ON86256E3F.00501AD3@us.ibm.com>
Date: Thu, 19 Feb 2004 08:44:13 -0600
From: Joseph M Hoffman <hoffjose@...ibm.com>
To: RJ Auburn <rj@...eo.com>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
Gadi Evron <ge@...tistical.reprehensible.net>,
Zak Dechovich <ZakGroups@...ureol.com>
Subject: Re: ASN.1 telephony critical infrastructure warning - VOIP
I agree that this is somewhat misleading in that VoIP and ASN1 do not go
hand in hand. One item that maybe be an obvious is how to
avoid the exploitation of VoIP no mater what protocol it is running is the
use of a layered protective architecture. Many times I have seen
enterprises run and "protect" every service under the sun but somehow miss
building the VoIP server into that protective layering. The VoIP sever
needs to only be
contacted through a firewall,choke, and ids(ips) , set in a dmz, and
treated just like any other component with policies, proceedures, msb's,
and
guidelines surronding it. The major root to the problems of new
exploitations with the blended virus/worm attacks is not the individaul
pieces of the
enterprise but the overall security architecture is not looked at close
enough.
regards,
Joseph M. Hoffman,CISSP, CCSA,CCSE,NSWC,SBFCC,B.A.
I.B.M. Security & Privacy Services
office 816-228-3275
mobile 816-721-3275
The highest reward for man's toil is not what he gets for it, but what he
becomes by
it.
John Ruskin
RJ Auburn
<rj@...eo.com> To: Gadi Evron <ge@...tistical.reprehensible.net>
cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com, Zak
02/17/2004 01:54 Dechovich <ZakGroups@...ureol.com>
PM Subject: Re: ASN.1 telephony critical infrastructure warning - VOIP
I would say that this is somewhat misleading. First of all not all VoIP
services use ASN.1 encoding for the protocol. While H.323 does SIP does
not.
Additionally I suspect that not many of the carrier deployment of H.323
are using the MS ASN.1 libs as most of them are unix based (many of
them will be running SPARC/Solaris).
Now that being said if companies are allowing VoIP to the desktop for
services like netmeeting there could be problems.
RJ
---
RJ Auburn
CTO, Voxeo Corporation
tel:+1-407-418-1800
On Feb 17, 2004, at 07:37, Gadi Evron wrote:
> I apologize, but I am using these mailing lists to try and contact the
> different */CERT teams for different countries.
>
> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> attacks both the server and the end user (IIS and IE).
>
> We expect a new massive worm to come out exploiting this vulnerability
> in the next few days.
>
> Why should this all interest you beyond it being the next blaster?
>
> ASN is what VOIP is based on, and thus the critical infrastructure for
> telephony which is based on VOIP.
>
> This may be a false alarm, but you know how worms find their way into
> every network, private or public. It could (maybe) potentially bring
> the system down.
>
> I am raising the red flag, better safe than sorry.
>
> The two email messages below are from Zak Dechovich and myself on this
> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> original red flag as you can see below, was raised by Zak. Skip to his
> message if you like.
>
> Gadi Evron.
>
>
>
> Subject: [TH-research] */CERT people: Critical Infrastructure and
> ASN.1 - VOIP [WAS: Re:
> [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> Mail from Gadi Evron <ge@...uxbox.org>
>
> All the */CERT people on the list:
> If you haven't read the post below, please do.
>
> Anyone checked into the critical infrastructure survivability of an ASN
> worm hitting? phone systems could possibly go down. We all know how
> worms find their way into any network, private or otherwise. and VOIP
> systems (which phone systems are based on nowadays) could go down.
>
> Heads-up! Finds them contingency plans.. :o)
>
> Any information would be appreciated, or if you need more information
> from us: +972-50-428610.
>
> Gadi Evron.
>
>
> Zak Dechovich wrote:
>
> > Mail from Zak Dechovich <ZakGroups@...UREOL.COM>
> >
> > May I suggest the following:
> >
> > ASN1 is mainly used for the telephony infrastructure (VoIP),
> > any code that attacks this infrastructure can be assigned with 'VoIP'
> > prefix, followed by the attacked vendor (cisco, telrad, microsoft,
> etc.).
> >
> > for example, if (when) Microsoft's h323 stack will be attacked, the
> name
> > should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will
> crash, lets
> > call it VoIP.csgk.<variant>
> >
> > Your thoughts ?
> >
> > Zak Dechovich,
> >
> > Zak Dechovich,
> > Managing Director
> > SecureOL Ltd.
> > Mobile: +972 (53) 828 656
> > Office: +972 (2) 675 1291
> > Fax: +972 (2) 675 1195
>
> -
> TH-Research, the Trojan Horses Research mailing list.
> List home page: http://ecompute.org/th-list
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists