[ news_security_news ]
Cisco: PIX Flaw Remains Unconfirmed
Chris Crum
Staff Writer
2006-08-17
 Insider Reports RSS Feed
At the recent Black Hat security conference in Las Vegas, a VoIP developer named Hendrik Scholz said that there was a flaw in Cisco's PIX 500 Series Security Appliances.
Scholz didn't go into too much detail about the flaw, but said he would work with Cisco to fix it.
The problem is, however, that they have not been able to find the flaw again, so naturally they are having a hard time fixing it. Kevin McLaughlin of CRN reports:According to Cisco, Scholz claimed in his presentation that a specially crafted SIP message could be sent to the PIX that could open a User Datagram Protocol (UDP) connection to any device in the internal network, allowing an attacker to send UDP traffic to the internal device.
Cisco hasn't been able to create a vulnerable situation based on the description of the vulnerability Scholz presented at Black Hat or after the show. "Consequently, no defect has been filed, although we will continue to work with Mr. Scholz as we attempt to recreate the situation and validate his claims," Cisco said in the advisory. Doug Caverly has posted a somewhat-related article about the relationship between "bug hunters" and software companies in which he quotes Cisco Chief Security Officer John Stewart.
"We can create undue attention onto something that might hurt our customers," he said. "If we know, to the best of our knowledge, that there is a weakness in our product, we're attempting not to draw further attention to it."
Well, there has certainly been some attention drawn to the possibility of a PIX 500 flaw at this point.
Tag: Cisco, PIX 500
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
About the Author:
Chris Crum is a staff writer for SecurityProNews and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
