Yesterday, Cisco released an advisory detailing a number of vulnerabilities which covered most recent versions of their IP phones, essentially the “Unified IP Phone” set of products, running both firmwares for SCCP and SIP. The covered vulnerabilities include a DNS Response Parsing Overflow, a Large ICMP Echo Request DoS, an HTTP Server DoS, an SSH Server DoS, a SIP MIME Boundary Overflow, a Telnet Server Overflow, and a SIP Proxy Response Overflow. Essentially, a wide range of vulnerabilities covering a number of the devices’ services and functionality.
While it’s good that Cisco is actively taking steps to improve their products and are actually informing customers and the security community about the device’s security issues via security advisories, the scope and number of vulnerabilities involved in this one advisory seems to still be fairly indicative of the state of security for new VoIP products hitting the market, especially user agents and client devices. It would seem that as the rush continues for VoIP innovation and a quick to market product, much of these products’ security assessment due-diligence, not to mention many of their security features, are still being left in the dust…Â Or at best, left for a firmware or software update post-launch.
Are you kidding? It’s how business works. Don’t act surprised. Microsoft, Apple, etc…. push products to market and clean up later.
BUT HERE’S THE KICKER — ***There’s nothing at all wrong with this.*** Anything else doesn’t make sense and is impossible to test the scope of having that many systems deployed.
Oh I’m not surprised at all… In fact, my post was more making the point that the status quo that we’ve been dealing with regarding the security posture of new VoIP endpoints is the same as it has been for years. I understand the business mentality and processes that creates the situation, as I mentioned toward the end of my most recent blog post about underpowered hardware, however that doesn’t excuse the fact that vendors that don’t put in the effort up-front foster an increased state of vulnerability in their customer’s networks. I believe that there is absolutely something wrong with that, even if it’s counter to the bottom line, and only by continuing to talk about it is it likely to ever change, if at all.