[VOIPSEC] CISCO Phone 7940 DOS vulnerability

Ari Takanen voipsa at codenomicon.com
Sat Mar 24 04:58:40 CDT 2007 

On Sat, Mar 24, 2007 at 04:40:20AM +0200, Diana Cionoiu wrote:
> This is an old one. We knew about it since begining of 2006. We dicovered 
> acidentally. Seems that newer firmware fix that.

I hope you reported it to the vendor also. Vulnerability is created as
the bug is found, and eliminated when the bug is fixed. I have noted
many times that in the security community it is not about who finds it
first, but who reports it first. The final credit will probably
apperar on the Cisco advisory, as they are the only ones who can
actually say who found it and reported it to them first.

We are very used to this, with more than 10 years of experience from
PROTOS research. Both PROTOS and Codenomicon tools are able to find
thousands of issues including the majority of the later disclosed
vulns in many protocols, and sometimes our tools have even been used
to find some of the disclosed problems. We still usually do not get
any credit for the discovery. Such is life. But this is ok as we do
not have time to run our tools to find the actual vulnerabilities. Our
customers do the routine part, i.e. testing. That is why you will
commonly see statements such as "found by X using Y testing product."

In summary, I agree that the credit should go to the person who acts
responsibly and will report the flaw to the vendor. No matter how many
people have found it before that (but not reported it). Acts toward
fixing the issues should be rewarded, not acts towards misuse. The
tools used in the discovery are not the most important aspect either,
it is the ethics of the person that really count. This is ok to us as
a security testing tool vendor, as we are not doing this for publicity
but to help the vendors and enterprises in using better quality
products.

/Ari

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list