[VOIPSEC] CISCO Phone 7940 DOS vulnerability

Radu State state at loria.fr
Sat Mar 24 08:13:34 CDT 2007 


Hi Ari and Diana,


Thank you Ari for bringing the discussions to ethics, which  is essentially
in
our  work. I think that we need and have to work together with the concerned
vendors when finding a vulnerability and also allow them to fix the patch
before we disclose it. In our case, we had excellent interactions with Cisco
and they are highly professional and prompt in the communication. We have
reported the issue and only when having the OK from them we did the
disclosure.
I am also expecting to see advisories for  software for which there is
upgraded
firmware, since reporting one for which no update exits would be unethical
if 
the vender replied and confirmed that it is working to fix it, or if an
updated
 software exists.

On the other hand in VoIP devices, these issues are more important for a
simple
reasons: we are used to patch our systems/computes, but in my personal
experience few companies upgrade their phone firmwares. Phones get installed

and next forgotten in terms of security.

Cheers,
RS


Selon Ari Takanen <voipsa at codenomicon.com>:

> On Sat, Mar 24, 2007 at 04:40:20AM +0200, Diana Cionoiu wrote:
> > This is an old one. We knew about it since begining of 2006. We
dicovered
> > acidentally. Seems that newer firmware fix that.
>
> I hope you reported it to the vendor also. Vulnerability is created as
> the bug is found, and eliminated when the bug is fixed. I have noted
> many times that in the security community it is not about who finds it
> first, but who reports it first. The final credit will probably
> apperar on the Cisco advisory, as they are the only ones who can
> actually say who found it and reported it to them first.
>
> We are very used to this, with more than 10 years of experience from
> PROTOS research. Both PROTOS and Codenomicon tools are able to find
> thousands of issues including the majority of the later disclosed
> vulns in many protocols, and sometimes our tools have even been used
> to find some of the disclosed problems. We still usually do not get
> any credit for the discovery. Such is life. But this is ok as we do
> not have time to run our tools to find the actual vulnerabilities. Our
> customers do the routine part, i.e. testing. That is why you will
> commonly see statements such as "found by X using Y testing product."
>
> In summary, I agree that the credit should go to the person who acts
> responsibly and will report the flaw to the vendor. No matter how many
> people have found it before that (but not reported it). Acts toward
> fixing the issues should be rewarded, not acts towards misuse. The
> tools used in the discovery are not the most important aspect either,
> it is the ethics of the person that really count. This is ok to us as
> a security testing tool vendor, as we are not doing this for publicity
> but to help the vendors and enterprises in using better quality
> products.
>
> /Ari
>
> --
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen                       Codenomicon Ltd.
> ari.takanen at codenomicon.com       Tutkijantie 4E
> tel: +358-40 50 67678             FIN-90570 Oulu
> http://www.codenomicon.com        Finland
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>

More information about the Voipsec mailing list