Cisco struggles with SIP firewall flaw

Cisco Systems has been trying to reproduce a PIX firewall security hole outlined by a researcher during the Black Hat USA 2006 conference in Las Vegas earlier this month. So far, the company has been unsuccessful.

Hendrik Scholz, lead VoIP developer and systems engineer with Freenet Cityline of Germany, announced the existence of the flaw at the end of his presentation on SIP stack fingerprinting and attacks. His final slide appeared to feature limited details on an undisclosed flaw related to the Session Initiation Protocol (SIP) in the networking giant's PIX series of firewalls and security appliances.

SearchSecurity.com learned that the information Scholz shared during his presentation involved the use of a proxy server to ring multiple phones simultaneously in conjunction with SIP "fixup" command. Essentially it pokes a hole through a PIX firewall to allow SIP data to pass through and potentially allows for the spoofing of a source device, in this case a telephony handset.

Scholz was working with Cisco and the US Computer Emergency Readiness Team (US-CERT) on the matter, and was giving the networking giant time to address any outstanding vulnerabilities before disclosing more details.

So far Cisco has been unable to confirm the flaw exists.

"We've been working with Mr Scholz ever since his disclosure in order to recreate this vulnerability," Cisco spokesman John Noh said in an e-mail. "So far, we have not been able to reproduce the issue and therefore cannot confirm his claim."

Nevertheless, he said Cisco will keep testing and will issue a new security advisory as new information becomes available.

Information Security magazine editor-in-chief Michael Mimoso contributed to this report.

This article originally appeared on SearchSecurity.com.