Cisco Systems Inc. CSO John Stewart told
Information
Security on 3 August that his product security incident
response teams have not yet determined the severity of a previously
unknown
PIX firewall flaw, which was disclosed at
Black Hat USA 2006.
German VoIP developer and engineer Hendrik Scholz offered up
limited details on the flaw during a presentation on SIP stack
fingerprinting and attacks. The final slide of his talk iterated
that there is a problem in PIX firewalls where a proxy server could
be used to ring multiple phones simultaneously in conjunction with
a SIP "fixup" command. VoIP handsets could ultimately be
spoofed.
Mike Caudill and Jeffrey Lanza, incident managers with Cisco's
Product Security Incident Response Team (PSIRT), were unsure
Wednesday whether the details describe a vulnerability or a
configuration problem.
Stewart, meanwhile, acknowledged that SIP across PIX has a
certain prevalence among customers and merits immediate attention.
But he added that it's "world's apart" from the severity of an IOS
vulnerability disclosed during last year's Black Hat conference.
ISS researcher Michael Lynn revealed a problem in Cisco routers
that affected much of the infrastructure operating on the
Internet.
"I think we're at the point where new information is going to
pop up every year at these types of conferences," he said. "I
think, ultimately, it's a positive."
Ironically, Stewart participated Thursday in a Black Hat panel
discussion with other vendors, researchers and enterprise security
managers that focused on disclosure. The panel debated what and
when to disclose vulnerability information, as well as parity among
customers and whether certain customers should get priority notice
on vulnerability information.
"As a user in an enterprise, what is the vulnerability we're
looking at? Is it massive, then yes, I need to know. If it's baby
candy, don't bother me," said Pamela Fusco, security officer for a
financial services firm. "What level of severity are we talking
about when talking about full disclosure? If it's high-end that
could disrupt services nationwide, and impact life and business,
that situation needs full disclosure to control chaos and the
aftermath."
Scott Blake, CISO for Boston-based Liberty Mutual Insurance Co.,
said it's prudent security managers assess the risk of a
vulnerability as it applies to their environments. He said he may
want to know about it on a personal level, but that it may not
change the way a business's processes operate.
 | | | | | When you do one of those
[preferential customer] lists, then everyone wants to be on that
list and then pretty soon there is no list and it starts all over
again.
John Stewart
CSOCisco Systems Inc. |
| | | | | |
| |
|
"With prudent planning, the assumption is that it is exploitable,"
Blake said. You have to make that assumption."
One assumption that may be a fallacy is the notion of a
preferred customer list for vulnerability information. Cisco's
Stewart, Microsoft Senior Director of Security Engineering Strategy
Steve Lipner and Sun Microsystems Inc.'s Security Engineer Derrick
Scholl squashed the notion.
Stewart said that some of Cisco's large customers would be
happier if they received information before everyone else. He added
that even Cisco is not a preferred customer and that its engineers
cannot make changes based on information that is forthcoming.
"When you do one of those [preferential customer] lists, then
everyone wants to be on that list and then pretty soon there is no
list and it starts all over again," Stewart said. "It serves no
purpose."
There have been times, however, when backbone providers were the
first to know about severe vulnerabilities in SNMP ASN1.
"I used to work for MCI and we did get some of that
information," Fusco said. "Major providers would give it us, asking
us to help them out. It made perfect sense in that case. But then
we'd be the ones who get beat up; 'You get preferential treatment.'
It's a vicious circle."