Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Cisco confirms vulnerability in 7921 Wi-Fi IP phone

from [George Ou] Network Security [Permanent Link]
Subject: [Full-disclosure] Cisco confirms vulnerability in 7921 Wi-Fi IP phone
Date: Sat, 23 Feb 2008 16:00:06 -0800 
Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security
bypass vulnerability, I received confirmation from Cisco that their
model
7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital
certificates aren't cryptographically verified.  Both Cisco and Vocera
have told me that they intend to fix future implementations of PEAP and
do the necessary steps to ensure certificate authenticity.  Cisco
released the following statement.

"Cisco confirms that the Cisco wireless IP phone model 7921 does not
currently validate server certificates when configured to use PEAP
(MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is
planning a long term solution to enable the option of client-side
validation of server certificates with PEAP; however, we do not
currently have a time line for when a software upgrade will be
available. To work around the problem, administrators can configure
EAP-TLS as an alternative to PEAP while ensuring mutual client-server
authentication."

Details at http://blogs.zdnet.com/security/?p=901


George Ou, CISSP
ZDNet Editor at Large (CNET Networks)
http://blogs.zdnet.com/Ou
http://blogs.zdnet.com/security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Cisco confirms vulnerability in 7921 Wi-Fi IP phone, George Ou <=
Previous by Date:  Re: [Full-disclosure] Security contact at Safeway US, Fredrick Diggle
Next by Date:  [Full-disclosure] S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server, S21sec labs
Previous by Thread:  [Full-disclosure] Security contact at Safeway US, Sebastian Wolfgarten
Next by Thread:  [Full-disclosure] S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server, S21sec labs
Indexes:  [Date] [Thread] [Top] [All Lists]