| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Feb 2008 16:00:06 -0800 From: "George Ou" <george.ou@...hrepublic.com> To: <full-disclosure@...ts.grok.org.uk> Subject: Cisco confirms vulnerability in 7921 Wi-Fi IP phone Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security bypass vulnerability, I received confirmation from Cisco that their model 7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital certificates aren't cryptographically verified. Both Cisco and Vocera have told me that they intend to fix future implementations of PEAP and do the necessary steps to ensure certificate authenticity. Cisco released the following statement. "Cisco confirms that the Cisco wireless IP phone model 7921 does not currently validate server certificates when configured to use PEAP (MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is planning a long term solution to enable the option of client-side validation of server certificates with PEAP; however, we do not currently have a time line for when a software upgrade will be available. To work around the problem, administrators can configure EAP-TLS as an alternative to PEAP while ensuring mutual client-server authentication." Details at http://blogs.zdnet.com/security/?p=901 George Ou, CISSP ZDNet Editor at Large (CNET Networks) http://blogs.zdnet.com/Ou http://blogs.zdnet.com/security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists