<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] ASN.1 telephony critical infrastructure warning - VOIP



Here are some more details on various things that use ASN.1

http://asn1.elibel.tm.fr/en/uses/rfc.htm

-Dan
On Tue, 17 Feb 2004, 3APA3A wrote:

> Dear Gadi Evron,
>
> ASN.1  is  used  by  many  services,  but  all  use different underlying
> protocols.  It's  not  likely  NetMeeting or MS ISA server to be primary
> attack  targets.  Attack  against  MS  IPSec  implementation,  Exchange,
> SMB/CIFS, RPC services, IIS and specially IE will no have impact to VoIP
> infrastructure  (except  connectivity  degradation  because  of  massive
> traffic). And these applications are more likely to be attack target.
>
> --Tuesday, February 17, 2004, 6:37:53 PM, you wrote to 
> bugtraq@xxxxxxxxxxxxxxxxx:
>
> GE> I apologize, but I am using these mailing lists to try and contact the
> GE> different */CERT teams for different countries.
>
> GE> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> GE> attacks both the server and the end user (IIS and IE).
>
> GE> We expect a new massive worm to come out exploiting this vulnerability
> GE> in the next few days.
>
> GE> Why should this all interest you beyond it being the next blaster?
>
> GE> ASN is what VOIP is based on, and thus the critical infrastructure for
> GE> telephony which is based on VOIP.
>
> GE> This may be a false alarm, but you know how worms find their way into
> GE> every network, private or public. It could (maybe) potentially bring the
> GE> system down.
>
> GE> I am raising the red flag, better safe than sorry.
>
> GE> The two email messages below are from Zak Dechovich and myself on this
> GE> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> GE> original red flag as you can see below, was raised by Zak. Skip to his
> GE> message if you like.
>
> GE>      Gadi Evron.
>
>
>
> GE> Subject: [TH-research] */CERT people: Critical Infrastructure and ASN.1
> GE> - VOIP [WAS: Re:
> GE>   [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> GE> Mail from Gadi Evron <ge@xxxxxxxxxxxx>
>
> GE> All the */CERT people on the list:
> GE> If you haven't read the post below, please do.
>
> GE> Anyone checked into the critical infrastructure survivability of an ASN
> GE> worm hitting? phone systems could possibly go down. We all know how
> GE> worms find their way into any network, private or otherwise. and VOIP
> GE> systems (which phone systems are based on nowadays) could go down.
>
> GE> Heads-up! Finds them contingency plans..  :o)
>
> GE> Any information would be appreciated, or if you need more information
> GE> from us: +972-50-428610.
>
> GE>      Gadi Evron.
>
>
> GE> Zak Dechovich wrote:
>
>  >> Mail from Zak Dechovich <ZakGroups@xxxxxxxxxxxx>
>  >>
>  >> May I suggest the following:
>  >>
>  >> ASN1 is mainly used for the telephony infrastructure (VoIP),
>  >> any code that attacks this infrastructure can be assigned with 'VoIP'
>  >> prefix, followed by the attacked vendor (cisco, telrad, microsoft, etc.).
>  >>
>  >> for example, if (when) Microsoft's h323 stack will be attacked, the name
>  >> should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will crash,
> GE> lets
>  >> call it VoIP.csgk.<variant>
>  >>
>  >> Your thoughts ?
>  >>
>  >> Zak Dechovich,
>  >>
>  >> Zak Dechovich,
>  >> Managing Director
>  >> SecureOL Ltd.
>  >> Mobile: +972 (53) 828 656
>  >> Office: +972 (2) 675 1291
>  >> Fax:    +972 (2) 675 1195
>
> GE> -
> GE> TH-Research, the Trojan Horses Research mailing list.
> GE> List home page: http://ecompute.org/th-list
>
> GE> _______________________________________________
> GE> Full-Disclosure - We believe in it.
> GE> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> --
> ~/ZARAZA
> Ñýð Èñààê Íüþòîí îòêðûë, ÷òî ÿáëîêè ïàäàþò íà çåìëþ. (Òâåí)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-Daniel Uriah Clemens

Esse quam videra
                (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
                      { o)2059686335             c)2055676850 }