Document ID: KM02992240 (c01037794)
Release Date: 2004-05-11
Last Updated: 2007-04-26
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
A potential security vulnerability has been identified in the HP OpenCall MultiService Controller (OCMC) H.323 stack that may allow a remote user to create a Denial of Service (DoS).
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenCall MultiService Controller (OCMC) v1.1, v1.2 for HP-UX 11.0
For a PGP signed version of this security bulletin please write to: firstname.lastname@example.org
The HP Software Security Response team has contacted the source and various other vendors and is not aware of any malicious exploitation of any of the vulnerabilities described in this bulletin.
A test suite developed by the U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the University of Oulu Security Programming Group (OUSPG) has exposed vulnerabilities in several implementations of the H.323 protocol.
The potential vulnerabilities may be exploited to produce a denial of service (DoS) attack. Such an attack may cause an affected product to failover or crash and failover. Due to its robust design OCMC will recover from most attack scenarios. In the event that OCMC does not recover, the attack can be stopped by blocking the offending IP address. Attacks may also be blocked by creating an access list to restrict TCP port 1720 traffic to known, trusted IP addresses.
HP has made the following patches available for OCMC v1.2 released January 2004. Please contact OpenCall support to receive the patches.
HP will be providing patches to the impacted versions of OCMC:
OCMC v1.1 patch 46
OCMC v1.1 patch 37
Revision: 0 (rev.0) - 11 May 2004 Initial release
Version: 1 (rev.1) - 9 July 2005 Patches are available for OCMC v1.2 released January 2004
Version: 2 (rev.2) - 25 April 2007 Reformatted
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."