Controversy looms for Cisco once again , as information revealed
at the Black Hat conference on 2 August could lead to another
significant zero-day vulnerability and exploit.
Hendrik Scholz, lead VoIP developer and systems engineer with
Freenet Cityline of Germany, saved the best for last during his
Black Hat USA 2006 presentation on SIP stack fingerprinting and
attacks. His final slide appeared to feature limited details on an
undisclosed flaw related to Session Initiation Protocol (SIP) in
Cisco Systems PIX series of firewalls and security appliances.
According to Mike Caudill and Jeffrey Lanza, incident managers
with Cisco's Product Security Incident Response Team (PSIRT), the
networking giant is unsure whether the details describe a
vulnerability or a misconfiguration.
SearchSecurity.com has learned that the information Scholz
shared during his presentation involved the use of a proxy server
to ring multiple phones simultaneously in conjunction with SIP
'fixup' command. Essentially it pokes a hole through a PIX firewall
to allow SIP data to pass through and potentially allows for the
spoofing of a source device, in this case a telephony handset.
A news source in the US said Scholz is working with Cisco and
United States Computer Emergency Readiness Team (US-CERT) on the
matter, and is giving the networking giant time to address any
outstanding vulnerabilities before disclosing more details.
Cisco is reported to be investigating the discovery, but it is
also reportedly to have said that it may need several days to vet
the issue because it must be tested on myriad PIX devices. The
vendor has emphasised that since the issue involves the exposure of
a service that shouldn't be exposed, it may be caused by a problem
specific to Scholz's implementation and not a true
vulnerability.
If proven to be a flaw, a source said, there is a potential for
telephony denial-of-service or malicious call redirection, which
could lead to voice phishing.
"There weren't enough details in the slide for anyone to be able
to do anything with it," said a source with knowledge of Scholz's
presentation. "He wanted to let people know it was there and to
protect themselves."
Scholz reportedly stumbled upon the issue within the last month,
recently returned from a vacation prior to Black Hat. "He didn't
think it was a big deal," the source said.
"The [flaw] Michael Lynn revealed last year had the ability to
essentially bring down routing," said another source. "So on a
severity scale of one to 100, if Mike Lynn's was a 95, this might
be a two."
Few Cisco products support SIP; for instance, its SIP Proxy
Server call-control software uses it, and its SIP IP Phone software
enables certain handsets to work in SIP-based VoIP environments.
Hence the reaction from Cisco's lawyers pales in comparison to the
furor caused last year when researcher
Michael Lynn disclosed a serious vulnerability
in IOS, Cisco's router operating system. Lynn subsequently
lost his job, was sued and had a run-in with the FBI over the
matter. Lynn, who now works for Cisco rival Juniper Networks
Inc., is at this year's Black Hat.
This news comes just hours after a pair of presenters revealed a
zero-day exploit for Cisco CallManager
Express.
David Endler, director of security research for the TippingPoint
division of 3Com and Mark Collier, CTO of telephony management
vendor SecureLogix, who are authors of the book Hacking Exposed
VoIP, told Black Hat attendees that the networking giant's
CallManager Express VoIP management software is vulnerable to a
flaw in which a remote user can supply specially crafted SIP
requests to gain information from the SIP user directory, including
the names of the users stored in the SIP user database.
A patch for that issue is not yet available, but Cisco said it
is investigating the problem and will provide further information
when it becomes available. Cisco was notified of the issue prior to
Black Hat.
Victor R. Garza and News Editor Eric B. Parizo contributed to
this article.