[VOIPSEC] CISCO Phone 7940 DOS vulnerability

Diana Cionoiu diana at voip.null.ro
Sat Mar 24 16:15:35 CDT 2007 

Hi Ari,

I don't work as a VoIP security advisor or anything like that. Cisco for 
me is Yet Another Competitor, and if they don't bother to download at 
least something like sipsak to test their phones, i don't see any reason 
to help them.
This special issue is something that should never appear in a decent 
writen SIP stack. As long as they don't bother to do the job they get a 
lot of money for, i don't see why "me" i should help my competition.
And yes i know the story with "we all look for more security in our life", 
but that is true only if you don't sell in the same market with the guys 
you are suppose to help.
Cisco has enough advantage in this market so they don't need one more (the 
help of the comunity).
And i belive that as long as i didn't used the flaw as an advantage for my 
company, the entire issue is somehow neutral.

Diana Cionoiu

P.S. Von Europe in Stockholm again Ari? Maybe some hacking session?

On Sat, 24 Mar 2007, Ari Takanen wrote:

> On Sat, Mar 24, 2007 at 04:40:20AM +0200, Diana Cionoiu wrote:
>> This is an old one. We knew about it since begining of 2006. We dicovered
>> acidentally. Seems that newer firmware fix that.
>
> I hope you reported it to the vendor also. Vulnerability is created as
> the bug is found, and eliminated when the bug is fixed. I have noted
> many times that in the security community it is not about who finds it
> first, but who reports it first. The final credit will probably
> apperar on the Cisco advisory, as they are the only ones who can
> actually say who found it and reported it to them first.
>
> We are very used to this, with more than 10 years of experience from
> PROTOS research. Both PROTOS and Codenomicon tools are able to find
> thousands of issues including the majority of the later disclosed
> vulns in many protocols, and sometimes our tools have even been used
> to find some of the disclosed problems. We still usually do not get
> any credit for the discovery. Such is life. But this is ok as we do
> not have time to run our tools to find the actual vulnerabilities. Our
> customers do the routine part, i.e. testing. That is why you will
> commonly see statements such as "found by X using Y testing product."
>
> In summary, I agree that the credit should go to the person who acts
> responsibly and will report the flaw to the vendor. No matter how many
> people have found it before that (but not reported it). Acts toward
> fixing the issues should be rewarded, not acts towards misuse. The
> tools used in the discovery are not the most important aspect either,
> it is the ethics of the person that really count. This is ok to us as
> a security testing tool vendor, as we are not doing this for publicity
> but to help the vendors and enterprises in using better quality
> products.
>
> /Ari
>
> -- 
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen                       Codenomicon Ltd.
> ari.takanen at codenomicon.com       Tutkijantie 4E
> tel: +358-40 50 67678             FIN-90570 Oulu
> http://www.codenomicon.com        Finland
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list