Voice over IP Cisco - Re: FW: Cisco Security Response: Cisco Unified IP

This is Interesting: Free IT Magazines  
Home > Archive > Voice over IP Cisco > November 2007 > Re: FW: Cisco Security Response: Cisco Unified IP





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: FW: Cisco Security Response: Cisco Unified IP
Philip Walenta

2007-11-29, 1:12 pm

It's the fact that all the data to and from the phone is in clear text. No
encryption. Sniffable passwords etc.

-----Original Message-----
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Bill Simon
Sent: Thursday, November 29, 2007 9:53 AM
To: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] FW: cisco Security Response: cisco Unified IP
Phone Remote Eavesdropping

Looking over the presentation PDF...

Where's the "bug"?

All I see are valid uses of the phone's features when a user has valid
credentials.

HTTP is not a bug any more than telnet or FTP is a bug. And this is after
seeing post after post about "Why did cisco turn off FTP in CM5?
Why do I have to use SFTP?" So, everyone, choose: encrypted protocols or
not.


Craig Staffin wrote:
> Interesting Bug,
>
> Wes/Ryan any projected time frame on updated firmware?
>
> Craig
>
> -----Original Message-----
> From: cisco Product Alert Tool
> [mailto:cco-pat-bouncehandler@external.cisco.com]
> Sent: Thursday, November 29, 2007 3:20 AM
> To: Craig Staffin
> Subject: cisco Security Response: cisco Unified IP Phone Remote
> Eavesdropping
>
> Message Type : Security Response
>
> Title: cisco Security Response: cisco Unified IP Phone Remote
> Eavesdropping
>
> URL:
> http://www.cisco.com/en/US/customer...ecurity_respons
> e09186
> a0080903a6d.html
> (available to registered users)
>
> http://www.cisco.com/en/US/products...esponse09186a00
> 80903a
> 6d.html
> (available to non-registered users)
>
> Posted: November 28, 2007
>
> Summary: This is the cisco PSIRT response to a presentation given at
> the Hack.Lu 2007 security conference by Joffery Czarny of Telindus
> regarding a technique to remotely eavesdrop using cisco Unified IP
> Phones.
>
> The original report is available at the following link:
>
> http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf
>
> We greatly appreciate the opportunity to work with researchers on
> security vulnerabilities
> and welcome the opportunity to review and assist in product reports.
>
> This email has been sent to craig.staffin@inacom.com.
> You are receiving this notice because you subscribed to the Cisco
> Product Alert Tool (PAT) and created the following profile(s):
> All Alerts
>
> Subscribe/unsubscribe instructions :
> If you choose not to receive these notices, or if you would like to
> make changes to your notification profile, please go to:
> http://tools.cisco.com/Support/PAT/...les.do?local=en
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com