[VOIPSEC] FYI - Quarterly Summary of VoIP Vulnerabilities

Shawn Merdinger shawnmer at gmail.com
Fri Apr 18 14:22:59 CDT 2008 

>>Lynn, Tom Tom.Lynn at nordstrom.com
>>Fri Apr 18 16:38:41 BST 2008

>>It seems very Cisco-heavy.  Is this normal?

Hi Tom,

Cisco PSIRT is very good (and pretty honest IMHO) at reporting product
vulnerabilities, hence the official PSIRT announcements, CVEs and
internal bug tracking information that Cisco PSIRT provides will show
up in the security mailing lists and vulnerability databases.  Most
other vendors are, IMHO, not as proactive and on-the-ball addressing
the formal public announcement of product vulnerabilities -- hence the
absence of CVEs, problems with contacting security personnel (a la
VoIPshield's latest round of fun in this area), etc.

As an example, you'll note in my blog post the Philips VOIP841 PC-Free
DECT 6.0 Wireless IP Phone from 2-14-2008.  This set of
vulnerabilities was not in NIST's database, but rather I found it on
Milw0rm <http://milw0rm.com/exploits/5113> because I was trying to do
a little extra digging.  I did Philips the "favor" of notifying
CERT...we'll see what happens.

Another example of this past quarter's "under the radar"
vulnerabilities was picked up by Mark Collier, noting some conference
presentations about Nortel's phones and Unistim protocol -- see
http://voipsecurityblog.typepad.com/marks_voip_security_blog/2008/03/a-couple-of-pre.html

Bottom line?  A company with up-front and formalized processes and
dedicated people like Cisco PSIRT is going to tell world about product
vulns, though I understand with IOS it's been changed to happen twice
a year, with some exceptions (see the Cisco PSIRT policy for more on
this).  As far as other companies go you may or may not hear about the
vulnerabilities via the company website, VAR notices, fixes buried
deep in release notes of new product versions, etc, etc....or not at
all.

And realize that all kinds of voip vulnerability information comes out
at security conferences, both formally and informally, in the slide
presentation or perhaps over a beer.  Plus there's ethical hacking
groups like Gnucitizen poking at gear and those security issues may
just get noted on a webpage, with the security researcher not
bothering to notify the vendor for any number of reasons, or bothering
to notify CERT because of the low-hanging-fruit nature of the bug
(i.e. lame ones like I reported to CERT with a bunch of voip wifi
phones).

My objective with the Quarterly Summary of VoIP Vulnerabilities blog
post was to see what NIST had documented as a basic public service to
the VOIPSA.  I can assure you that there's plenty more voip
vulnerabilities and security issues and intelligence to gather and
uncover...but it's going to take time and resources, and of course the
right people.

If there are folks out there who want to get *truly serious* about
finding out *what's really going on out there* and can *provide the
support*....well, maybe consider pinging me.

Kind regards,
--scm

Shawn Merdinger
Security Researcher

More information about the Voipsec mailing list