Laboratories made its second announcement of security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel. This brings the total number of vulnerability groups reported to VoIP vendors in 2008 to over fifty, representing over 175 unique vulnerabilities. The vulnerability groups will be disclosed in limited detail on VoIPshield's website
, available at noon EDT today. Vulnerabilities are categorized into four exploit types based on their most likely malicious intent: remote code execution; unauthorized access; denial of service; and information harvesting.
Under its Responsible Disclosure Policy, VoIPshield works with the VoIP vendors to assist them in reproducing the vulnerabilities in their labs, thus facilitating the development of software patches for the affected products. Avaya, Cisco and Nortel are acknowledging these vulnerabilities today on their websites, and issuing their own security advisories.
"Most security breaches result from a combination of attack methods" said Rick Dalmazzi, president and CEO of VoIPshield. "There is a trend in recent years of hacker attacks moving 'up the stack' to the application layer. One recent study found that over twenty percent of breaches included exploiting a known vulnerability in the targeted application. What's important is that the good guys find these vulnerabilities and protect against them faster than the bad guys find them and exploit them."
The VoIP vulnerabilities discovered by VoIPshield Labs, if successfully exploited, could result in losses to the corporation in the form of mitigation expenses, brand reputation, internal productivity, competitive advantage and compliance penalties.
"Security vulnerabilities and threats continue to evolve," said Russell Smoak, Cisco director of security intelligence engineering. "Continued collaboration with the vulnerability research community is important to the overall security of the Internet ecosystem. We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in their product reports. We thank VoIPshield for collaboratively reporting these vulnerabilities to Cisco."
Effective immediately, customers of VoIPshield's VoIPaudit VoIP Vulnerability Assessment product can download the new vulnerabilities to update their systems, using the VoIPshield Update(TM) subscription service. Customers using the VoIPguard Intrusion Prevention System, currently in field trials, can download the corresponding new threat signatures.
In April, VoIPshield was named one of five "Cool Vendors in Infrastructure Protection for 2008" by Gartner. "As IP telephony continues to gain momentum, targeted attacks -- and possibly broad-based attacks -- will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security," said Lawrence Orans, Gartner analyst for VoIP Security. "The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks."