Cisco confirms vulnerability in 7921 Wi-Fi IP phone

["George Ou" <george_ou () lanarchitect net>]

Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security
bypass vulnerability, I received confirmation from Cisco that their model
7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital
certificates aren't cryptographically verified.  Both Cisco and Vocera have
told me that they intend to fix future implementations of PEAP and do the
necessary steps to ensure certificate authenticity.  Cisco released the
following statement.

"Cisco confirms that the Cisco wireless IP phone model 7921 does not
currently validate server certificates when configured to use PEAP
(MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is planning a
long term solution to enable the option of client-side validation of server
certificates with PEAP; however, we do not currently have a time line for
when a software upgrade will be available. To work around the problem,
administrators can configure EAP-TLS as an alternative to PEAP while
ensuring mutual client-server authentication."

Details at http://blogs.zdnet.com/security/?p=901


George Ou, CISSP
ZDNet Editor at Large (CNET Networks)
http://blogs.zdnet.com/Ou
http://blogs.zdnet.com/security



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave