Bugtraq mailing list archives
Re: The Trivial Cisco IP Phones Compromise
From: Peter Peters <P.G.M.Peters () civ utwente nl>
Date: Fri, 20 Sep 2002 16:53:00 +0200
On Thu, 19 Sep 2002 16:32:43 -0400, you wrote:
1. Access to the Cisco 7960 IP phone: A Cisco model 7960 IP phone running a SIP-compatible image has a password that can be set by the IP phone administrator. The default password is "cisco" if the password has not been set to some other value. Cisco strongly recommends setting the password to something other than the default.
There have been discussion going on (and off) about the danger of default passwords. How long does it take before so-called secure aware companies become really aware of security issues?
The key sequence of "**#" is not intended as a password. It is clearly and publicly documented in many places within Cisco's product literature. The key sequence is solely intended to protect against casual or accidental changes to the phone's configuration.
Then just don't accept is as a password. It's that simple, isn't it?
2. Abuse of the TFTP service: Although the author is correct that various attacks against the TFTP service can be mounted, there are several measures that can be employed by the IP phone administrator and the organization to mitigate the risk. If the network is firewalled properly so that the different network segments are compartmentalized as the Cisco SAFE white papers recommend, then the TFTP server will only respond to legitimate requests. The TFTP server does not need to reside on the same network segment as the IP phone. If RFC 1918 addressing is employed for the IP phones and proper ingress/egress filtering is in place as recommended, then any such attack is highly unlikely to succeed from outside the enterprise VoIP network, even with the use of UDP. Access to the physical networks from within the enterprise may make it easier to succeed with the attack, but if the VLANs are properly protected and MAC addresses monitored per the SAFE documents -- for example, by using arpwatch or arpsnmp -- then an attack may be detected by the IP phone administrators.
Not in all situations the IP phones are within one network. Sometimes the phones are used by home workers. And not all ADSL- and cable-companies allow IPsec over their network. At least not when you have a consumer version of the connection. If you want IPsec you have to buy the expensive business version for all the home workers.
Current thread:
- The Trivial Cisco IP Phones Compromise Ofir Arkin (Sep 19)
- Re: The Trivial Cisco IP Phones Compromise Jim Duncan (Sep 20)
- Re: The Trivial Cisco IP Phones Compromise Peter Peters (Sep 20)
- <Possible follow-ups>
- RE: The Trivial Cisco IP Phones Compromise Ofir Arkin (Sep 20)
- Re: The Trivial Cisco IP Phones Compromise Jim Duncan (Sep 20)