[VOIPSEC] VoIPshield Labs ... I smell a goat...

Dustin D. Trammell dtrammell at dustintrammell.com
Fri Apr 4 12:44:43 EDT 2008

I'm also inclined to call this announcement fairly dubious, but not for
the same reasons as J. Oquendo.  I'm personally a big fan of Full
Disclosure, so I commend VoIPShield for bringing the vulnerability
information to the public, especially after it has already been reported
to the vendors and they've been given a heads up even if some of them
have not released patches.  What I would further like to see however is
more technical detail for the advisories, especially the ones that are
listed as patched.

Anyhow, what I would like to point out here is that VoIPShield appears
to be over-exaggerating their vulnerability count.  As an example, if
you take a look at all the "Cisco * Command Injection" advisories, they
all appear to be the same vulnerability (unauthenticated command
messages).  What they've done is released a vulnerability advisory for
every potential /payload/ that they can send via this vulnerability.
Anyone that works in this industry and deals directly with vulnerability
advisories and researchers likely understands the anatomy of an attack
and can differentiate the vulnerability from the exploit and from the
payload(s).  You'll also notice that Cisco apparently agrees with me
here, because each of those advisories all link to the same, single,
Cisco advisory, which properly identifies these as a single
vulnerability.  Other smaller cases of this are sprinkled throughout
their advisory list.  This is what we call "padding the numbers." (:

I find it hard to believe that the research team at a security product
company such as VoIPShield doesn't understand this.  I'm more inclined
to believe that they do, but were probably approached by their marketing
team and told "We need to have <insert magic number here, in this case
100> vulnerability advisories to make a splash for the product launch!"
and when they said "Well, we /could/ do it this way, but..." they were
told to go ahead and do it anyway.  Of course that's just my guess, and
I'm giving them the benefit of the doubt, because I've been in the same
position any number of times throughout my career and this scenario does
happen quite frequently.

Let's hope they clean up their advisories and condense them down to a
more reasonable (and realistic) number.

Dustin D. Trammell
dtrammell at dustintrammell.com

More information about the Voipsec mailing list