[ISN] Cisco can't reproduce Black Hat flaw

From: InfoSec News (alerts@private)
Date: Thu Aug 17 2006 - 01:33:24 PDT


http://www.networkworld.com/news/2006/081506-cisco-cant-reproduce-black-hat.html

By Robert McMillan
IDG News Service
08/15/06

Cisco has been unable to reproduce a security flaw reported in its PIX 
firewall appliance earlier this month, the networking company said 
Tuesday.

The alleged flaw was discovered by Hendrik Scholz, a developer with 
Freenet Cityline GmbH, who discussed it during Aug. 2 presentation at 
the Black Hat USA conference in Las Vegas. Freenet is a German VoIP 
service provider.

Scholz claimed that if someone sent the PIX device a specially crafted 
SIP message, the firewall would then allow attackers to send traffic to 
any device on the network. SIP is a protocol used to set up telephone 
calls and other communication sessions over the Internet.

"We've had engineers both within the business unit and within our PSIRT 
[product security incident response team] organization looking into 
this," said John Noh, a Cisco spokesman. "We have not been able to 
replicate what he claims he has discovered."

Cisco had not ruled out the possibility that a flaw exists and is still 
testing its security appliances for a possible vulnerability, Noh said. 
But the company wanted to update customers on what it had found so far, 
he explained. "This is just a response for the benefit of our customers 
who might have seen the press coverage."

Scholz could not be reached immediately for comment.

During his Black Hat presentation, the security researcher said that 
exploiting the flaw was "really easy to do." But in an e-mail interview 
conducted two weeks ago, Scholtz said that a hacker would first need to 
know "intimate details" about the network being attacked and have 
control of a device on the inside in order to pull off the attack.

The problem, as Scholtz described it, had to do with the PIX SIP state 
engine and parser.

Cisco's comments on Scholtz's findings can be found here [1].

[1] http://www.cisco.com/warp/public/707/cisco-sr-20060815-sip.shtml


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 07:43:22 PDT