I would say that this is somewhat misleading. First of all not all VoIP
services use ASN.1 encoding for the protocol. While H.323 does SIP does
not.
Additionally I suspect that not many of the carrier deployment of H.323
are using the MS ASN.1 libs as most of them are unix based (many of
them will be running SPARC/Solaris).
Now that being said if companies are allowing VoIP to the desktop for
services like netmeeting there could be problems.
> I apologize, but I am using these mailing lists to try and contact the
> different */CERT teams for different countries.
>
> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> attacks both the server and the end user (IIS and IE).
>
> We expect a new massive worm to come out exploiting this vulnerability
> in the next few days.
>
> Why should this all interest you beyond it being the next blaster?
>
> ASN is what VOIP is based on, and thus the critical infrastructure for
> telephony which is based on VOIP.
>
> This may be a false alarm, but you know how worms find their way into
> every network, private or public. It could (maybe) potentially bring
> the system down.
>
> I am raising the red flag, better safe than sorry.
>
> The two email messages below are from Zak Dechovich and myself on this
> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> original red flag as you can see below, was raised by Zak. Skip to his
> message if you like.
>
> Gadi Evron.
>
>
>
> Subject: [TH-research] */CERT people: Critical Infrastructure and
> ASN.1 - VOIP [WAS: Re:
> [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> Mail from Gadi Evron <ge (at) linuxbox (dot) org [email concealed]>
>
> All the */CERT people on the list:
> If you haven't read the post below, please do.
>
> Anyone checked into the critical infrastructure survivability of an ASN
> worm hitting? phone systems could possibly go down. We all know how
> worms find their way into any network, private or otherwise. and VOIP
> systems (which phone systems are based on nowadays) could go down.
>
> Heads-up! Finds them contingency plans.. :o)
>
> Any information would be appreciated, or if you need more information
> from us: +972-50-428610.
>
> Gadi Evron.
>
>
> Zak Dechovich wrote:
>
> > Mail from Zak Dechovich <ZakGroups (at) SECUREOL (dot) COM [email concealed]>
> >
> > May I suggest the following:
> >
> > ASN1 is mainly used for the telephony infrastructure (VoIP),
> > any code that attacks this infrastructure can be assigned with 'VoIP'
> > prefix, followed by the attacked vendor (cisco, telrad, microsoft,
> etc.).
> >
> > for example, if (when) Microsoft's h323 stack will be attacked, the
> name
> > should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will
> crash, lets
> > call it VoIP.csgk.<variant>
> >
> > Your thoughts ?
> >
> > Zak Dechovich,
> >
> > Zak Dechovich,
> > Managing Director
> > SecureOL Ltd.
> > Mobile: +972 (53) 828 656
> > Office: +972 (2) 675 1291
> > Fax: +972 (2) 675 1195
>
> -
> TH-Research, the Trojan Horses Research mailing list.
> List home page: http://ecompute.org/th-list
>
I would say that this is somewhat misleading. First of all not all VoIP
services use ASN.1 encoding for the protocol. While H.323 does SIP does
not.
Additionally I suspect that not many of the carrier deployment of H.323
are using the MS ASN.1 libs as most of them are unix based (many of
them will be running SPARC/Solaris).
Now that being said if companies are allowing VoIP to the desktop for
services like netmeeting there could be problems.
RJ
---
RJ Auburn
CTO, Voxeo Corporation
tel:+1-407-418-1800
On Feb 17, 2004, at 07:37, Gadi Evron wrote:
> I apologize, but I am using these mailing lists to try and contact the
> different */CERT teams for different countries.
>
> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> attacks both the server and the end user (IIS and IE).
>
> We expect a new massive worm to come out exploiting this vulnerability
> in the next few days.
>
> Why should this all interest you beyond it being the next blaster?
>
> ASN is what VOIP is based on, and thus the critical infrastructure for
> telephony which is based on VOIP.
>
> This may be a false alarm, but you know how worms find their way into
> every network, private or public. It could (maybe) potentially bring
> the system down.
>
> I am raising the red flag, better safe than sorry.
>
> The two email messages below are from Zak Dechovich and myself on this
> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> original red flag as you can see below, was raised by Zak. Skip to his
> message if you like.
>
> Gadi Evron.
>
>
>
> Subject: [TH-research] */CERT people: Critical Infrastructure and
> ASN.1 - VOIP [WAS: Re:
> [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> Mail from Gadi Evron <ge (at) linuxbox (dot) org [email concealed]>
>
> All the */CERT people on the list:
> If you haven't read the post below, please do.
>
> Anyone checked into the critical infrastructure survivability of an ASN
> worm hitting? phone systems could possibly go down. We all know how
> worms find their way into any network, private or otherwise. and VOIP
> systems (which phone systems are based on nowadays) could go down.
>
> Heads-up! Finds them contingency plans.. :o)
>
> Any information would be appreciated, or if you need more information
> from us: +972-50-428610.
>
> Gadi Evron.
>
>
> Zak Dechovich wrote:
>
> > Mail from Zak Dechovich <ZakGroups (at) SECUREOL (dot) COM [email concealed]>
> >
> > May I suggest the following:
> >
> > ASN1 is mainly used for the telephony infrastructure (VoIP),
> > any code that attacks this infrastructure can be assigned with 'VoIP'
> > prefix, followed by the attacked vendor (cisco, telrad, microsoft,
> etc.).
> >
> > for example, if (when) Microsoft's h323 stack will be attacked, the
> name
> > should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will
> crash, lets
> > call it VoIP.csgk.<variant>
> >
> > Your thoughts ?
> >
> > Zak Dechovich,
> >
> > Zak Dechovich,
> > Managing Director
> > SecureOL Ltd.
> > Mobile: +972 (53) 828 656
> > Office: +972 (2) 675 1291
> > Fax: +972 (2) 675 1195
>
> -
> TH-Research, the Trojan Horses Research mailing list.
> List home page: http://ecompute.org/th-list
>
[ reply ]