[VOIPSEC] FYI - Quarterly Summary of VoIP Vulnerabilities

[dima _at]

Hi Shawn Merdinger, lets make it a bit more clear. I've just tested it
on the firmware mentioned in the referred bagtraq message. And what i
got. It's possible to archive the same effect as described in the
report by flooding the device with ip packets with the sizes close to
the ip packet size limit. (Actually it seems like possible to do that
even with small packet just takes longer). It's just necessary to flood
it till the server timeout is reached and you will see "server
unreachable" message on the screen. I don't really know whether it's a
hardware issue or bad software design but that allows to prevent a
phone user from making calls. Beside that if you are flooding a phone
during a call the phone keeps sending the rtp stream. I probably need to
investigate it deeper and inform the vendor.

 I did not really get the point how the software bug itself is related
to all those severity of impact, attacks vectors etc. I was pointing
that there was a software bug and it could have some security issues
under certain circumstances. So i think it needs to be fixed. 

--
regards, Dima