HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2010-22
Cisco IOS Software H.323 Denial of Service Vulnerabilities

Original issue date: March 30, 2010

Severity Rating: High

Systems Affected

  • Cisco IOS Software with H.323 implementation

Overview

Two vulnerabilities have been reported in H.323 implemented Cisco IOS Software that could allow a remote attacker to cause denial of service conditions.

Description

1. H.323 Packet Processing Blocked Interface Denial of     Service Vulnerability (CVE-2010-0582)

The vulnerability is because of the insufficient processing of malformed H.323 network messages.  A remote attacker could exploit the vulnerability by sending malicious H.323 packets to the targeted device.  Successful exploitation could allow the attacker to cause the device to stop responding, resulting in a denial of service (DoS) condition.

2. H.323 Protocol Packet Handling Memory Leak Denial of     Service Vulnerability (CVE-2010-0583)

The vulnerability is due to improper processing of malformed H.323 packets.   The affected software may consume and fail to free memory when processing malformed packets, resulting in a memory leak.  A remote attacker could exploit the vulnerability by sending a series of malicious packets to the targeted device.  Successful exploitation could allow the attacker to cause the device to stop responding, resulting in a denial of service (DoS) condition.

Solution

Apply appropriate software fixes as mentioned in
Cisco Security Advisory

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml

References

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=20066
http://tools.cisco.com/security/center/viewAlert.x?alertId=20067

Security Tracker
http://securitytracker.com/alerts/2010/Mar/1023742.html

CVE Name
CVE-2010-0582
CVE-2010-0583

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003