Possible Cisco zero-day exploit revealed at Black Hat

By Michael S. Mimoso, Editor-in-Chief, Information Security magazine 03 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Hendrik Scholz, lead VoIP developer and systems engineer with Freenet Cityline of Germany, saved the best for last during his Black Hat USA 2006 presentation Wednesday on SIP stack fingerprinting and attacks. His final slide appeared to featured limited details on an undisclosed flaw related to Session Initiation Protocol (SIP) in Cisco Systems Inc. PIX series of firewalls and security appliances.

According to Mike Caudill and Jeffrey Lanza, incident managers with Cisco's Product Security Incident Response Team (PSIRT), the networking giant is unsure whether the details describe a vulnerability or a misconfiguration.

SearchSecurity.com has learned that the information Scholz shared during his presentation involved the use of a proxy server to ring multiple phones simultaneously in conjunction with SIP "fixup" command. Essentially it pokes a hole through a PIX firewall to allow SIP data to pass through and potentially allows for the spoofing of a source device, in this case a telephony handset.

A news source said Scholz is working with San Jose, Calif.-based Cisco and United States Computer Emergency Readiness Team (US-CERT) on the matter, and is giving the networking giant time to address any outstanding vulnerabilities before disclosing more details.

Cisco is investigating the discovery, but said it may need several days to vet the issue because it must be tested on myriad PIX devices. The vendor has emphasized that since the issue involves the exposure of a service that shouldn't be exposed, it may be caused by a problem specific to Scholz's implementation and not a true vulnerability.

Black Hat USA 2006 Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.

If proven to be a flaw, a source said, there is a potential for telephony denial-of-service or malicious call redirection, which could lead to voice phishing.

"There weren't enough details in the slide for anyone to be able to do anything with it," said a source with knowledge of Scholz's presentation. "He wanted to let people know it was there and to protect themselves."

Scholz reportedly stumbled upon the issue within the last month, recently returned from a vacation prior to Black Hat. "He didn't think it was a big deal," the source said.

"The [flaw] Michael Lynn revealed last year had the ability to essentially bring down routing," said another source. "So on a severity scale of one to 100, if Mike Lynn's was a 95, this might be a two."

Few Cisco products support SIP; for instance, its SIP Proxy Server call-control software uses it, and its SIP IP Phone software enables certain handsets to work in SIP-based VoIP environments. Hence the reaction from Cisco's lawyers pales in comparison to the furor caused last year when researcher Michael Lynn disclosed a serious vulnerability in IOS, Cisco's router operating system. Lynn subsequently lost his job, was sued and had a run-in with the FBI over the matter. Lynn, who now works for Cisco rival Juniper Networks Inc., is at this year's Black Hat.

This news comes just hours after a pair of presenters revealed a zero-day exploit for Cisco CallManager Express.

David Endler, director of security research for the TippingPoint division of Marlborough, Mass.-based 3Com Corp., and Mark Collier, CTO of San Antonio-based telephony management vendor SecureLogix Corp., authors of the book Hacking Exposed VoIP, told Black Hat attendees that the networking giant's CallManager Express VoIP management software is vulnerable to a flaw in which a remote user can supply specially crafted SIP requests to gain information from the SIP user directory, including the names of the users stored in the SIP user database.

A patch for that issue is not yet available, but Cisco said it is investigating the problem and will provide further information when it becomes available. Cisco was notified of the issue prior to Black Hat.

Victor R. Garza and News Editor Eric B. Parizo contributed to this article.

Tags: Emerging Information Security Threats,  Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices Network Protocols and Security How to keep networks secure when deploying an 802.11n upgrade Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary