Cisco says it can't reproduce PIX flaw

Cisco Systems Inc. has been trying to reproduce a PIX firewall security hole outlined by a researcher during the Black Hat USA 2006 conference in Las Vegas earlier this month. So far, the company has been unsuccessful.

Hendrik Scholz, lead VoIP developer and systems engineer with Freenet Cityline of Germany, announced the existence of the flaw at the end of his presentation on SIP stack fingerprinting and attacks Aug. 2, the first day of the conference.

His final slide appeared to feature limited details on an undisclosed flaw related to the Session Initiation Protocol (SIP) in the San Jose, Calif.-based networking giant's PIX series of firewalls and security appliances.

SearchSecurity.com learned that the information Scholz shared during his presentation involved the use of a proxy server to ring multiple phones simultaneously in conjunction with SIP "fixup" command. Essentially it pokes a hole through a PIX firewall to allow SIP data to pass through and potentially allows for the spoofing of a source device, in this case a telephony handset.

Scholz was working with Cisco and the United States Computer Emergency Readiness Team (US-CERT) on the matter, and was giving the networking giant time to address any outstanding vulnerabilities before disclosing more details.

But as of Tuesday, Cisco had been unable to confirm the flaw exists.

"We've been working with Mr. Scholz ever since his disclosure in order to re-create this vulnerability," Cisco spokesman John Noh said in an email. "So far, we have not been able to reproduce the issue and therefore cannot confirm his claim."

Nevertheless, he said Cisco will keep testing and will issue a new security advisory as new information becomes available.

Information Security magazine Editor-in-Chief Michael S. Mimoso contributed to this report.