Vendors reject preferential knowledge sharing

While Cisco continues to investigate a potential PIX firewall flaw, it and other vendors say sharing security information quickly and indiscriminately is always the best policy.

 Cisco Systems Inc. CSO John Stewart told Information Security on 3 August that his product security incident response teams have not yet determined the severity of a previously unknown PIX firewall flaw, which was disclosed at Black Hat USA 2006.

German VoIP developer and engineer Hendrik Scholz offered up limited details on the flaw during a presentation on SIP stack fingerprinting and attacks. The final slide of his talk iterated that there is a problem in PIX firewalls where a proxy server could be used to ring multiple phones simultaneously in conjunction with a SIP "fixup" command. VoIP handsets could ultimately be spoofed.

Black Hat USA 2006

Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.
Mike Caudill and Jeffrey Lanza, incident managers with Cisco's Product Security Incident Response Team (PSIRT), were unsure Wednesday whether the details describe a vulnerability or a configuration problem.

Stewart, meanwhile, acknowledged that SIP across PIX has a certain prevalence among customers and merits immediate attention. But he added that it's "world's apart" from the severity of an IOS vulnerability disclosed during last year's Black Hat conference. ISS researcher Michael Lynn revealed a problem in Cisco routers that affected much of the infrastructure operating on the Internet.

"I think we're at the point where new information is going to pop up every year at these types of conferences," he said. "I think, ultimately, it's a positive."

Ironically, Stewart participated Thursday in a Black Hat panel discussion with other vendors, researchers and enterprise security managers that focused on disclosure. The panel debated what and when to disclose vulnerability information, as well as parity among customers and whether certain customers should get priority notice on vulnerability information.

"As a user in an enterprise, what is the vulnerability we're looking at? Is it massive, then yes, I need to know. If it's baby candy, don't bother me," said Pamela Fusco, security officer for a financial services firm. "What level of severity are we talking about when talking about full disclosure? If it's high-end that could disrupt services nationwide, and impact life and business, that situation needs full disclosure to control chaos and the aftermath."

Scott Blake, CISO for Boston-based Liberty Mutual Insurance Co., said it's prudent security managers assess the risk of a vulnerability as it applies to their environments. He said he may want to know about it on a personal level, but that it may not change the way a business's processes operate.

When you do one of those [preferential customer] lists, then everyone wants to be on that list and then pretty soon there is no list and it starts all over again.
John Stewart
CSOCisco Systems Inc.
"With prudent planning, the assumption is that it is exploitable," Blake said. You have to make that assumption."

One assumption that may be a fallacy is the notion of a preferred customer list for vulnerability information. Cisco's Stewart, Microsoft Senior Director of Security Engineering Strategy Steve Lipner and Sun Microsystems Inc.'s Security Engineer Derrick Scholl squashed the notion.

Stewart said that some of Cisco's large customers would be happier if they received information before everyone else. He added that even Cisco is not a preferred customer and that its engineers cannot make changes based on information that is forthcoming.

"When you do one of those [preferential customer] lists, then everyone wants to be on that list and then pretty soon there is no list and it starts all over again," Stewart said. "It serves no purpose."

There have been times, however, when backbone providers were the first to know about severe vulnerabilities in SNMP ASN1.

"I used to work for MCI and we did get some of that information," Fusco said. "Major providers would give it us, asking us to help them out. It made perfect sense in that case. But then we'd be the ones who get beat up; 'You get preferential treatment.' It's a vicious circle."

Read more on IT risk management