[VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities

Thu Apr 5 03:31:59 CDT 2007

Hi,

Thanks for the response, I just hope it's a person and not automated
since there's no personal contact in the "advisory" -- or that it's
spoofed since there's no PGP signature -- Cisco PSIRT provides a
1-to-1 contact and uses PGP -- that "personal touch" that matters so
much...take notes :)

Anyway, what's up with #2?

If you first say that "no specific products are tested" and then say
that during "assesse[ing] specific products" you discover issues that
may be "one or more generic threats" -- well, it seems to me that if
you find some vuln in a specific product, then that specific vuln is
certainly not "theoretical" and the impacted vendor(s) should be
notified, and if they do not respond then a public disclosure.  I
mean, your advisories seem to be talking about library flaws that are
likely in libraries that could be in many products.  There's a moral
obligation on many levels here, imho.

Oh, and if you guys are going to continue playing in the public vuln
disclosure sandbox for marketing purposes may I humbly suggest you
have a chat and get advice from the people who _really know_ what the
heck they're doing (and we all know who they are)...even if they are
competitors...this disclosure stuff can get hairy.

Kind regards,
--scm
voipninja.com

On 4/3/07, Sipera VIPER Lab <viper at sipera.com> wrote:
> Thank you very much for your interest and questions.
>
> 1. According to our disclosure policy currently in effect, Sipera VIPER Lab notifies equipment vendors, at least 30 business days in advance, of Specific Threat Advisories and works with each of these vendors to publish a response with minimal difference, fix the vulnerability and/or identify other solutions to these security issues. These solutions are published along with the Threat Advisory.
>
> 2. We categorize threat advisories into "Generic" and "Specific". Unlike specific advisories, generic threat advisories are largely a result of theoretical analysis of protocol standards-- no specific products are tested. As a result of assessing specific products, we may discover issues that relate to one or more of generic threats.
>
> 3. For some reason, if a vendor does not respond, we continue trying to contact the vendor using all possible channels for specific period of time; even after publishing advisories.
>
> 4. VoIP Threat Advisories are posted at http://www.sipera.com/viper as a service to Sipera's customers and the general public. More public disclosure is currently under consideration.
>
> As a part of security research community, we are glad to work with VOIPSA to improve and standardize overall security of VoIP products and solutions.
>
> Sincerely,
> Sipera VIPER Lab
> www.sipera.com/viper
>
>
> ----- Original Message -----
> From: Shawn Merdinger
> Sent: Tue, 4/3/2007 8:46am
> To: Voipsec ; security at rim.com; Sipera VIPER Lab
> Subject: Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities
>
> OK, I was waiting for someone else to bring this up, but nothing
> yet...must've been a case of the Mondays.
>
> Sipera VIPER folks, a few quick questions:
>
> 1.Concerning Sipera's recent VoIP phone advisories, why do your
> threat ratings (high, moderate, etc.) differ from the advisories
> issued by RIM?I was hoping (a guy can dream, right?) there was
> coordination and everyone was on the same page...RIM folks?Any
> comments?Maybe this is an opportunity for VOIPSA to create a "vendor
> code of conduct" to lead the community disclosure process?
>
> 2.Concerning Sipera's "Generic" advisories, they are very, very,
> vague -- with no information on impacted vendors, status of fixes,
> etc.What's going on here?Is there a Sipera policy in play?If
> you've notified vendors who are not fixing or have ignored you, what's
> the next course of action?
>
> http://www.sipera.com/index.php?action=resources,threat_advisory&all=Generic&;
>
> 3.Is Sipera VIPER Labs planning to publish vulnerability notices
> more publicly (full-disclosure, bugtraq, etc.) in the future -- or
> will they continue to be released quietly?Btw, you might refer to my
> recent VOIPSA blog post on questions to ask vendors, #6 Vendor
> Security Response.
>
> Kind regards,
> --scm
>
>