Security flaws put VoIP systems at risk

The disclosure of critical vulnerabilities in voice-over-IP products from several major vendors shows why companies need to pay close attention to security when deploying IP telephony technologies, analysts said.

The flaws were discovered by Britain's National Infrastructure Security Co-ordination Centre using a test suite designed by a group of researchers at the University of Oulu in Finland. The flaws exist in VoIP products that support the H.323 protocol, which is used to exchange audio and video communications.

Products sold by Microsoft, Cisco Systems and Nortel Networks are among the affected software, and the risks to users include denial-of-service attacks and malicious hackers taking control of systems, according to an advisory issued by Internet Security Systems Inc. (ISS).

Neel Mehta, a security researcher at Atlanta-based ISS, said the vulnerabilities are the result of coding errors in individual H.323 implementations. The flaws in Cisco's Internetworking Operating System (IOS) software present the biggest concern because of its widespread use in Internet routers, Mehta said.

In its own advisory, Cisco said all products that run IOS and support H.323 packet processing are affected by the flaws. Several other IP telephony products are at risk, even though they don't run IOS, the company added. Cisco released patches for all of the affected devices.

Microsoft warned users that the H.323 filter in its Internet Security and Acceleration Server 2000 software is vulnerable and gave the flaw a "critical" severity rating. Attackers could use the security hole to take complete control of compromised systems, said Microsoft, which also released software patches.