[VOIPSEC] Any solution to the SIP Digest Leakage vulnerability?
publists at enablesecurity.com
Sat Apr 4 07:24:04 EDT 2009
I'm sure some of you have already read about the research that I was
working on. To summarize, there's a security flaw that affects a large
number of IP Phones and other SIP endpoints. I'm interested in having
discussing the sort of solutions that would address this issue.
If you are not familiar with what I'm talking about please read the
(skip to the section "Understanding the attack" if you're in a hurry) :
The VOIPSA blog also covered this briefly:
Solutions might include changes in software and firmware,
infrastructural changes etc.
As for a technical solution, at this point I think that SIP endpoints
should check the IP address of the destination that they are sending a
challenge response to and make decisions based on that. Do you see
this as being an effective solution, any downsides?
Chief Consultant and Founder of EnableSecurity
Email: sandro at enablesecurity.com
PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B
More information about the Voipsec