[cisco-voip] FW: Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping

Bill Simon bills at psu.edu
Thu Nov 29 10:52:51 EST 2007 

Looking over the presentation PDF...

Where's the "bug"?

All I see are valid uses of the phone's features when a user has valid 
credentials.

HTTP is not a bug any more than telnet or FTP is a bug.  And this is 
after seeing post after post about "Why did Cisco turn off FTP in CM5? 
Why do I have to use SFTP?"  So, everyone, choose:  encrypted protocols 
or not.


Craig Staffin wrote:
> Interesting Bug,
> 
> Wes/Ryan any projected time frame on updated firmware?
> 
> Craig
> 
> -----Original Message-----
> From: Cisco Product Alert Tool
> [mailto:cco-pat-bouncehandler at external.cisco.com] 
> Sent: Thursday, November 29, 2007 3:20 AM
> To: Craig Staffin
> Subject: Cisco Security Response: Cisco Unified IP Phone Remote
> Eavesdropping
> 
> Message Type : Security Response    
>     
> Title: Cisco Security Response: Cisco Unified IP Phone Remote Eavesdropping
> 
> URL: 
> http://www.cisco.com/en/US/customer/products/products_security_response09186
> a0080903a6d.html
> (available to registered users)
> 
> http://www.cisco.com/en/US/products/products_security_response09186a0080903a
> 6d.html
> (available to non-registered users)
> 
> Posted: November 28, 2007
> 
> Summary: This is the Cisco PSIRT response to a presentation given at the
> Hack.Lu 2007 
> security conference by Joffery Czarny of Telindus regarding a technique to
> remotely 
> eavesdrop using Cisco Unified IP Phones.
> 
> The original report is available at the following link:
> 
> http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf 
> 
> We greatly appreciate the opportunity to work with researchers on security
> vulnerabilities 
> and welcome the opportunity to review and assist in product reports.    
>     
> This email has been sent to craig.staffin at inacom.com. 
> You are receiving this notice because you subscribed to the Cisco Product
> Alert Tool (PAT) and created the following profile(s):
> All Alerts    
>     
> Subscribe/unsubscribe instructions : 
> If you choose not to receive these notices, or if you would like to make
> changes to your notification profile, please go to: 
> http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en

More information about the cisco-voip mailing list