H.323 Security Flaw Real, Impact Minimal

January 13, 2004

An article published today on CNET and resulting from a security advisory posted by NISCC reported a security vulnerability with H.323. The flaw is related to H.323 and its use of ASN.1 Packed Encoding Rules (PER) for encoding and decoding messages, improper handling of malformed H.225.0 messages, and resource leakage. The security flaw is real, but the impact is minimal.

The primary security vulnerability arises from systems that do not properly check for malformed H.225.0 messages or malformed ASN.1 PER messages or messages of indefinite lengths. As a message is received, it should be checked to ensure that it is properly formed, both prior to decoding and during the decoding process. Thus, the problem is not inherent in the H.323 protocol or even ASN.1, but with the PER or message processing implementations used by some H.323 systems.

Correcting this vulnerability is relatively straightforward and most vendors have already taken corrective action. It involves putting proper constraint checking in the PER decoding libraries to ensure that malformed messages messages are properly discarded and do not disrupt system operation and to check the H.225.0 messages for proper content.

The second class of vulnerabilities relates to resource leakage. This is again due partly to the malformed message not being processed correctly, resulting in memory leaks. It is also due to the fact that some H.323 systems are not proactive in closing TCP connections over which a call is never established. The latter is not unusual, in fact, for any TCP-based system. A default Apache server, for example, will leave the TCP connection established for five (5) minutes before closing the connection. H.323 and any TCP-based system should be more proactive in closing connections to eliminate wasted resources.

While H.323 is the most widely used VoIP communication protocol worldwide, the impact is mitigated by the fact that most VoIP systems are operated on private networks that are out of reach from most hackers who would attempt to exploit such vulnerabilities. Further, it should be well understood that this issue is an implementation issue, not a standards-related issue. There are vendors whose equipment was not found to exhibit the reported problems. What this means is that global H.323 long distance networks that presently carry billions of voice minutes each month will not likely to be impacted at all.

UPDATE: Other stories related to this issue:

• CNET
• Light Reading
• The Register
• NetworkWorldFusion (1)
• NetworkWorldFusion (2)
• InformationWeek

Related links:

• Writing safe programs that use ASN.1