[Full-Disclosure] Re: ASN.1 telephony critical infrastructure warning - VOIP

I would say that this is somewhat misleading. First of all not all VoIP
services use ASN.1 encoding for the protocol. While H.323 does SIP does
not.

Additionally I suspect that not many of the carrier deployment of H.323
are using the MS ASN.1 libs as most of them are unix based (many of
them will be running SPARC/Solaris).

Now that being said if companies are allowing VoIP to the desktop for
services like netmeeting there could be problems.

        RJ

---
RJ Auburn
CTO, Voxeo Corporation
tel:+1-407-418-1800
On Feb 17, 2004, at 07:37, Gadi Evron wrote:
> I apologize, but I am using these mailing lists to try and contact the 
> different */CERT teams for different countries.
>
> As we all know, ASN.1 is a new very easy to exploit vulnerability. It 
> attacks both the server and the end user (IIS and IE).
>
> We expect a new massive worm to come out exploiting this vulnerability 
> in the next few days.
>
> Why should this all interest you beyond it being the next blaster?
>
> ASN is what VOIP is based on, and thus the critical infrastructure for 
> telephony which is based on VOIP.
>
> This may be a false alarm, but you know how worms find their way into 
> every network, private or public. It could (maybe) potentially bring 
> the system down.
>
> I am raising the red flag, better safe than sorry.
>
> The two email messages below are from Zak Dechovich and myself on this 
> subject, to TH-Research (The Trojan Horses Research Mailing List). The 
> original red flag as you can see below, was raised by Zak. Skip to his 
> message if you like.
>
>     Gadi Evron.
>
>
>
> Subject: [TH-research] */CERT people: Critical Infrastructure and 
> ASN.1 - VOIP [WAS: Re:
>  [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> Mail from Gadi Evron <ge@linuxbox.org>
>
> All the */CERT people on the list:
> If you haven't read the post below, please do.
>
> Anyone checked into the critical infrastructure survivability of an ASN
> worm hitting? phone systems could possibly go down. We all know how
> worms find their way into any network, private or otherwise. and VOIP
> systems (which phone systems are based on nowadays) could go down.
>
> Heads-up! Finds them contingency plans..  :o)
>
> Any information would be appreciated, or if you need more information 
> from us: +972-50-428610.
>
>     Gadi Evron.
>
>
> Zak Dechovich wrote:
>
> > Mail from Zak Dechovich <ZakGroups@SECUREOL.COM>
> >
> > May I suggest the following:
> >
> > ASN1 is mainly used for the telephony infrastructure (VoIP),
> > any code that attacks this infrastructure can be assigned with 'VoIP'
> > prefix, followed by the attacked vendor (cisco, telrad, microsoft, 
> etc.).
> >
> > for example, if (when) Microsoft's h323 stack will be attacked, the 
> name
> > should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will 
> crash, lets
> > call it VoIP.csgk.<variant>
> >
> > Your thoughts ?
> >
> > Zak Dechovich,
> >
> > Zak Dechovich,
> > Managing Director
> > SecureOL Ltd.
> > Mobile: +972 (53) 828 656
> > Office: +972 (2) 675 1291
> > Fax:    +972 (2) 675 1195
>
> -
> TH-Research, the Trojan Horses Research mailing list.
> List home page: http://ecompute.org/th-list
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html