Voice of VOIPSA

“Public scrutiny is how security improves, whether software or airport security or government counter-terrorism measures.” — Bruce Schneier

Welcome back and thanks for tuning in. This is the 4th installment of Cisco IPICS security questions resulting from documentation review and applying my limited security knowledge.

Well, first off, the ipicsasktheexpert@cisco.com is, um, still bouncing (screenshot). Bummer…still some communications are happening on some other channels, so all is not lost.

Moving on…

Question 16: Has the IPICS Server been subjected to the various commercial scanners and fuzzers available? This is not to imply any preference, but scanners like Qualys and CORE Impact come to mind. Clearly, all scanners are not the same — recall the CSA client for Linux port scan vulnerability.

Cisco IPICS Expert answer

Question 17: To what degree are Lawful Intercept features integrated into the IPICS Server? Don’t forget that sometimes folks need to follow what’s going on inside too.

Cisco IPICS Expert answer

Question 18: How well have mature, available security testing methodologies/testcases, such as OWASP and Open Source Security Testing Methodology Manual OSSTMM been integrated in IPICS Server testing?

Cisco IPICS Expert answer

Question 19: Concerning the SNMPv3 implementation, if the IPICS Server operating system is indeed based on RedHat, then it is likely using the Net-SNMP implementation? Even though the implementation is designed for read-only, depending on the MIBs loaded on the IPICS Server, there are potential information disclosures resulting from recent vulnerabilities, such as Technical Cyber Security Alert TA08-162A

On this topic, I highly suggest FX’s “Perception of Vulnerabilities” article.

Cisco IPICS Expert answer

Question 20: The IPICS Server appears to have limited voice recording capability, with other vendors filling this technical niche. In what proactive manner have these 3rd party solutions been technically vetted so as to ensure thet they do not introduce security vulnerabilities into the IPICS Server? And vice-versa?

As with my previously, as yet unanswered 15 questions, I thank you for your time and look forward to your answers.

Shawn Merdinger
Security Researcher

“I don’t want no wait in vain for your love…”–BoB Marley

So here we are with the third installment of security questions for Cisco Systems’ IPICS Expert, questions 11-15. Astute readers (and pesky English majors) will notice that the title is not possessive concerning Cisco Systems’ — tsk, tsk, I had to do this so links in email readers would work and so the title would display correctly in various Web browsers. I suppose I could have gone the Dan York route and added Tiny-URL stuff…perhaps for another post. But, IMHO, Tiny-URL’s are spooky — you never know where they’re going to take you

So, it’s been a couple of weeks now and I’ve still not heard any answers from the IPICS Expert on either of the two previous posts: Asking The Cisco Systems IPICS Expert: Questions 1-5 and Asking The Cisco Systems IPICS Expert: Questions 6-10.

Further, the IPICS Expert email address (ipicsasktheexpert@cisco.com) still bounces…sigh. A little more promising, however, is some nice people from the Naval Postgraduate School I’ve been chatting with forwarded my questions to three or four people in Cisco’s Tactical Operations group last week, so we’ll see what happens. I’m hoping that these new players can move this process forward. If not, at the very least these questions will be out there drifting through the series of tubes on the Interwebs; for whatever that’s worth.

Question 11:

With IPICS Server V1.X, the documentation states that the INFORMIX user password cannot be changed “… do not change the informix password unless you are prompted to do so by the Cisco IPICS installation or upgrade procedure.” This seems to be a limitation, especially in organizations with password change policies (30/60/90 days, etc.). Has this issue been addressed in IPICS Server V2.0, or does changing the INFORMIX user password render the database unusable?

Cisco Answer

Question 12:

Concerning the IPICS ability to limit the re-use of all IPICS Server users’ previous passwords (default is previous 5), documentation on IPICS Server V2.X indicates that this password limitation does not apply to either the IPICSADMIN or IPICS user accounts. To not enforce this policy across all user accounts on the IPICS Server, especially those which are arguably “superuser” accounts, seems quite odd. Please state the justification for this selective application of password re-use limitation that excluded superuser accounts.

Cisco Answer

Question 13:

Cisco Answer

Question 14:

IPICS Server V2.X documentation indicates that for the IPICSADMIN and IPICS accounts there is neither a maximum number of invalid login attempts threshold, nor a definable lockout period (e.g. 4 hours) after a specified number of invalid login attempts. Considering that these two accounts are “superuser” level and likely targets of remote brute-force login attempts by attackers, is there any active notification such as pop-up alert, email/page alert, etc. to inform the IPICS Server administrator of such bruteforce login attempts? It seems that the only way an IPICS Server administrator would know she is under a bruteforce attack is to manually review attempted logins in the IPICS Server logs; is this correct?

Cisco Answer

Question 15:

During security audits and testing, customers will often use the Nessus Security Scanner to determine the vulnerabilities, if any, of their system. A common issue with Nessus scans are “false positives” during checks. What, if any, false positives can a Nessus scan of the IPICS Server 2.X can a Cisco customer expect? Please include the various scan options (default, polite, sneaky, paranoid, etc.), plugin sets (default, registered, professional, etc.), and especially host-based scans. I suggest providing the nessus.rc files and NBE-format results as well to prove verification.

Cisco Answer

As with my previous ten (as yet unanswered) questions, I thank you and look forward to your answers.

Shawn Merdinger
Security Researcher

“Hello? Is there anybody out there?”

So, it’s been a few business days since I posted “Asking the Cisco Systems’ IPICS Expert: Questions 1-5″ and while I haven’t heard anything back from the IPICS Expert either via email or comment on the blog post, it is somewhat amusing, and perhaps a bit disturbing, that a Google search for “IPICS Expert” leads back to VOIPSA…go figure.

Anyway, as with the previous post, this post continues focusing on Cisco Systems’ IPICS (IP Interoperability and Collaboration System) Server, the “heart” of the IPICS solution, with five more questions for the Cisco IPICS Expert:

Question 6: Early versions of the IPICS Server documentation refer to the operating system as Red Hat Linux, while a later version of documentation refer to the operating system as “Cisco Linux” and the latest version of documentation states “Linux” — Is the IPICS Server still based on Red Hat? If so, what version of Red Hat (enterprise, etc.)?

Cisco Answer

Question 7: Does the IPICS Server have any kind of file-integrity assurance program like, for example, Open Source Tripwire?

Cisco Answer

Question 8: Is the “Cisco Security Agent” provided at no cost for the IPICS Server, or is there an extra cost for this piece of software “protection?”

Cisco Answer

Question 9: The IPICS Server uses the IBM Informix database. According to documentation, IPICS Server 2.1(1) uses IBM Informix Dynamic Server Version 10.00.UC1. In 2008 several vulnerabilities were released concerning Informix, such as CVE-2008-0949, CVE-2008-0727, CVE-2008-0768 , CVE-2008-0369 , and CVE-2008-0368. If applicable to the IPICS Server 2.1(1) and earlier versions, have these vulnerabilities been addressed and patched in the IPICS Server? There seems to be nothing at the Cisco PSIRT site addressing these vulnerabilities. Am I missing something here?

Cisco Answer

Question 10: For IPICS Server 2.1(1), please provide a listing of all installed RPM packages, their version, and indication of known vulnerabilities in each RPM package.

Cisco Answer

As with my previous five (as yet unanswered) questions, I thank you and look forward to your answers.

Shawn Merdinger
Security Researcher

Over the past couple of years I’ve been keeping my eye on some of the several vendors’ solutions and emerging systems providing interoperability between disparate radios (800mhz, P25, push-to-talk, VHF, UHF, VoIP, cellular, etc.). Some of these solutions come as single device “magic boxes” like the JPS Raytheon ACU-1000, ACU-2000, ACU-M and ACU-T while others provide more IP-based solutions, such as Cisco Systems’ IPICS (IP Interoperability and Collaboration System).

As I’ve been working for some time on a whitepaper and presentation entitled “Emergency Communications Infrastructure: Asking The Difficult And Dangerous Questions” — I figured that the time has come to directly ask vendors some of the many questions I have as I’ve read through product literature, release notes, independent evaluations, journal coverage, and the like….even a little IPICS YouTube action.

So, I was very surprised when the email I sent to ipicsasktheexpert@cisco.com bounced (screenshot here!) Rather than go through the various emails and personnel to actually get a response or email address that worked for contacting the Cisco IPICS Expert, I figured I would provide the IPICS Expert the opportunity and privilege to answer my questions in a public forum such as VOIPSA’s Blog, as well as let the community know when they fixed their email address. As the IPICS is a solution, I have focused first on the “heart” — the IPICS Server, described by Cisco Systems as:

A security-enhanced, Linux-based platform that provides an administration console and resource management and hosts the optional Cisco IPICS Policy Engine and Operational Views applications.

Below are the questions. Cisco Systems’ IPICS Expert may either answer the questions in this post’s comments sections or email me the answers. If people in the community have IPICS solution questions, please add them to the comments or email them to me and we’ll get the questions posted on the VOIPSA Blog in the next batch, or the one after, or the one after….you get the idea.

Question 1: The IPICS Server is described by Cisco Systems as “Security Enhanced” — please provide a formal, technical definition for this term.

Cisco Answer

Question 2: On each network interface, by default what TCP ports are open across the 1-65535 range?

Cisco Answer

Question 3: On each network interface, by default what UDP ports are open across the 1-65535 range?

Cisco Answer

Question 4: On IPICS Server 2.1(1), what type and version Web server is running?

Cisco Answer

Question 5: Has this IPICS Server 2.1(1) Web Server version or type changed from previous versions of IPICS Server software?

Cisco Answer

Thank you and I, as well as others I’m sure, look forward to your answers.

Shawn Merdinger

Well, the GNUcitizen folks are at it again, and have discovered the default WEP keys shipped with Thomson and BT Home routers.  ZDnet and a few other news outlets have picked up the story, but IMHO your best bet it to read the details from the source. You can see BT’s security response here.

Foreign-based criminals are reportedly ripping off Australian companies by hacking into their telephone systems and racking up massive bills.  Last week a Melbourne retailer and university were hit with collective phone bills for more than 100-thousand dollars of overseas calls.  And both parties are angry with Telstra which they say is insisting they pay the bills.  The Camberwell Electrics Superstore says it was contacted by Telstra to ask why it had made 20 thousand dollars worth of overseas calls in less than two weeks.  And Swinburne University says it knew nothing about the scam until it was hit with an 80-thousand dollar bill.

The goal of Xplico is extract from an internet traffic capture the applications data contained.  For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).  Xplico is released under the GNU General Public License.

While most VoIP-related vulnerabilities are posted to the VOIPSA mailing list or blog, I thought it might be useful to have a informal quarterly summary of sorts among VoIP devices per searches from NIST.  I hope folks find it helpful, and of course post comments if I’ve overlooked anything from 1 January 2008 through 31 March 2008.

VoIP Firewalls

• CVE-2008-0263 Ingate Firewall & SIParator 1/15/2008

Cisco Phones

• CVE-2008-0531 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0530 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0529 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0528 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-0527 Cisco Unified IP Phone 7935 and 7936 2/14/2008
• CVE-2008-0526 Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G 2/14/2008
• CVE-2008-1113 Cisco Unified Wireless IP Phone 7921 3/3/2008

Snom Phones

• CVE-2008-1251 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1250 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1249 Snom 320 SIP Phone 3/10/2008
• CVE-2008-1248 Snom 320 SIP Phone 3/10/2008

Vocera Phones

• CVE-2008-1114 Vocera Communications wireless handsets 3/3/2008

Routers & Gateways

• CVE-2008-1334 BT Home Hub router 3/13/2008

Asterisk PBX

• CVE-2008-1289 Asterisk Open Source 3/24/2008
• CVE-2008-1390 Asterisk Open Source 3/24/2008
• CVE-2008-1332 Asterisk Open Source 3/19/2008
• CVE-2008-1333 Asterisk Open Source 3/19/2008

Cisco Call Manager

• CVE-2008-0026 Cisco Unified CallManager/Communications Manager 2/14/2008
• CVE-2008-0027 Cisco Unified Communications Manager 1/16/2008

UPDATE 4/15/08

On April 1st VuNet reported that hackers had taken down the International Space Station’s email capabilities.

So, this was a good April Fool’s joke, right?

Three astronauts onboard the Space Station reported last night that email was no longer working.
Hackers are thought to have planted a Trojan in the computer systems at Houston and used the infection to ride the satellite uplink to the Space Station.

What is especially troubling is the email system’s reliance upon older Microsoft operating systems that are no longer supported by Microsoft.

“I am sorry but there is nothing we can do. It is past its deadline, said Professor Brian Offin, Microsoft’s head of obsolete operating systems.

Again, a good April Fool’s joke, right?

However, this false article brings to light the fact that as newer technologies replace legacy systems, we must bear in mind that the new technology changes will, over time, themselves become legacy systems and subject to the same outdated, unsupported and insecurities that plagued the very legacy systems they replaced.

So what’s this have to do with VoIP and the International Space Station? Well, details are thin, but way back in 2000 VoIP Group Inc. was awarded a contract to provide a VoIP replacement for the ISS to “bring about significant cost reductions as it supplements and then replaces an existing legacy system.”

Initially deployed at NASA’s Marshall Space Flight Center in Huntsville, Alabama, and later at other International Space Station operations centers, the solution will consist of VoIP Group’s gateways connected to the Internet and to Raytheon voice switches and CUseeMe conference servers to support voice conferencing. The system is designed to link together researchers, NASA operations personnel, and potentially ISS crew, to support collaboration during Space Station experiment planning and operations. Because users can access the system using a standard Internet browser on an inexpensive multimedia PC, they can be located at NASA centers, universities, and companies throughout the world, and still connect in real-time, 24 x 7.

I hope that the sharp folks at NASA and VoIPgroup are taking the proactive steps to avoid security problems with critical communications with the ISS.

It’s refreshing to see a vendor in the IP phone space respond to reported security problems with their products.  During the GNUcitizen Router Hacking Challenge several issues were reported with the Snom 320.  The vulnerabilities posted were also picked up by Tom Keating’s blog.  Gnucitizen posted a webpage detailing the vulnerabilities as well, and the vendor response has been very good, with the following actions taken by Snom (note: typos left in):

• We will publish an article on “how to make your snom phone saver” on our website (including a link to it on the start page)
• We will send out a newsletter to all our registred VARS and distributers with this information
• We will work on the FW to improve security (just checked, on FW Ver. 7 the Flash applet is disabled by default)
• We will publish a new email adress, for security matters (mostlikly security@snom.com), which goes to a bunch of people.

So, this is a good start, but I do have a few humble suggestions for Snom:

1. Have a dedicated security page, e.g. www.snom.com/security/ that has their product security policy spelled out.
2. Setup PGP for the security@snom.com email alias and post the public key so that communications can be encrypted.
3. Formalize the product vulnerability advisory process, including sending out the advisory to various mailing lists, etc.  Following Cisco PSIRT and Asterisk advisory format is a fine start.
4. Tidy up the English translations for better flow and understanding.

Overall, this is encouraging to see a VoIP phone vendor stepping up and taking ownership of product vulnerabilities - Kudos to Snom!