[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200402200012.i1K0Cih08988@netsys.com>
Date: Tue, 17 Feb 2004 11:54:37 -0800
From: RJ Auburn <rj@...eo.com>
To: Gadi Evron <ge@...tistical.reprehensible.net>
Cc: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
Zak Dechovich <ZakGroups@...ureol.com>
Subject: Re: ASN.1 telephony critical infrastructure warning - VOIP
I would say that this is somewhat misleading. First of all not all VoIP
services use ASN.1 encoding for the protocol. While H.323 does SIP does
not.
Additionally I suspect that not many of the carrier deployment of H.323
are using the MS ASN.1 libs as most of them are unix based (many of
them will be running SPARC/Solaris).
Now that being said if companies are allowing VoIP to the desktop for
services like netmeeting there could be problems.
RJ
---
RJ Auburn
CTO, Voxeo Corporation
tel:+1-407-418-1800
On Feb 17, 2004, at 07:37, Gadi Evron wrote:
> I apologize, but I am using these mailing lists to try and contact the
> different */CERT teams for different countries.
>
> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> attacks both the server and the end user (IIS and IE).
>
> We expect a new massive worm to come out exploiting this vulnerability
> in the next few days.
>
> Why should this all interest you beyond it being the next blaster?
>
> ASN is what VOIP is based on, and thus the critical infrastructure for
> telephony which is based on VOIP.
>
> This may be a false alarm, but you know how worms find their way into
> every network, private or public. It could (maybe) potentially bring
> the system down.
>
> I am raising the red flag, better safe than sorry.
>
> The two email messages below are from Zak Dechovich and myself on this
> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> original red flag as you can see below, was raised by Zak. Skip to his
> message if you like.
>
> Gadi Evron.
>
>
>
> Subject: [TH-research] */CERT people: Critical Infrastructure and
> ASN.1 - VOIP [WAS: Re:
> [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> Mail from Gadi Evron <ge@...uxbox.org>
>
> All the */CERT people on the list:
> If you haven't read the post below, please do.
>
> Anyone checked into the critical infrastructure survivability of an ASN
> worm hitting? phone systems could possibly go down. We all know how
> worms find their way into any network, private or otherwise. and VOIP
> systems (which phone systems are based on nowadays) could go down.
>
> Heads-up! Finds them contingency plans.. :o)
>
> Any information would be appreciated, or if you need more information
> from us: +972-50-428610.
>
> Gadi Evron.
>
>
> Zak Dechovich wrote:
>
> > Mail from Zak Dechovich <ZakGroups@...UREOL.COM>
> >
> > May I suggest the following:
> >
> > ASN1 is mainly used for the telephony infrastructure (VoIP),
> > any code that attacks this infrastructure can be assigned with 'VoIP'
> > prefix, followed by the attacked vendor (cisco, telrad, microsoft,
> etc.).
> >
> > for example, if (when) Microsoft's h323 stack will be attacked, the
> name
> > should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will
> crash, lets
> > call it VoIP.csgk.<variant>
> >
> > Your thoughts ?
> >
> > Zak Dechovich,
> >
> > Zak Dechovich,
> > Managing Director
> > SecureOL Ltd.
> > Mobile: +972 (53) 828 656
> > Office: +972 (2) 675 1291
> > Fax: +972 (2) 675 1195
>
> -
> TH-Research, the Trojan Horses Research mailing list.
> List home page: http://ecompute.org/th-list
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists