Stonesoft Corp. Security Advisory
Date: 26 Oct, 2004
Title: H.323 Protocol Agent DoS Vulnerability
Refs: NISCC Vulnerability Advisory 060525/H323
CVE: CAN-2004-0498
Severity: Low
The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
1. Overview
NISCC published a vulnerability advisory on 26 Oct 2004 about several vulnerabilities in H.323 protocol implementations. Stonesoft products are affected as stated below.
2. StoneGate Firewall
The H.323 protocol is interpreted by StoneGate firewall engine in the H.323 protocol agent. By default this protocol agent is not activated and thus the vulnerability cannot be exploited.
However, if the vulnerable H.323 protocol agent is activated in the firewall engine configuration a crafted message interpreted by the H.323 protocol agent may cause the firewall engine to reboot itself.
The attack cannot be exploited unless the firewall policy allows the attacker to connect some H.323 server so that the firewall's H.323 protocol agent monitors and interprets the connection.
All StoneGate engines up to and including version 2.2.8 contain the vulnerable software. A new StoneGate engine version 2.5.0 for Intel platform is planned to be available on November 1st, 2004. The new version will be available for download from Stonesoft's web site at www.stonesoft.com. All customers with valid support and maintenance contracts will be notified. All StoneGate users on non-Intel platforms who need a patch for H.323 protocol agent, please contact Stonesoft's technical support.
Recommended Actions:
All StoneGate users are encouraged to upgrade their StoneGate engines to the appropriate new version as soon as it is available.
As a workaround and while waiting for the upgrade, Stonesoft recommends limiting access to the vulnerable H.323 protocol agent as much as possible. The default firewall configuration, as provided with the product, does not have the H.323 protocol agent activated. If the protocol agent is needed, Stonesoft recommends tightening the firewall rulebase to limit the clients that are allowed to connect through the firewall's H.323 protocol agent.
3. StoneGate Management Center
StoneGate Management Center does not interpret H.323 protocol and is thus not vulnerable.
4. StoneGate IPS
StoneGate IPS does not interpret H.323 protocol and is thus not vulnerable.
5. StoneBeat HA
StoneBeat HA does not interpret H.323 protocol and is thus not vulnerable.
6. StoneBeat Clustering Products
StoneBeat Clustering products do not interpret H.323 protocol and are thus not vulnerable.
7. Appendices
Stonesoft Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft%20Security%20Alert.asc
To report or inquire about a security problem with Stonesoft software, contact one or more of the following:
Stonesoft Support
Stonesoft Security Analysis Group. Send email to:
security-alert@stonesoft.com
Copyright 2004 Stonesoft, Corp. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.