So, if you watch any of the vulnerability lists that are out there, you may have noticed a recent spike in vulnerabilities that have been identified in various VoIP implementations from various vendors. If you’re not sure what I’m talking about, you might think about heading on over to http://www.microsolved.com and downloading our free threat intelligence tool, Watchdog.
If you’re already a Watchdog user, you may have noticed that MSI decided to go from green to yellow earlier this week. That decision was based upon the release of several vulnerabilities that have been identified in Cisco’s implementation of various VoIP protocols (oh yeah, and it’s patch Tuesday). Those issues ranged in vulnerabilities that could allow remote code execution to denial of service. We’ve also seen several problems arise in Avaya’s implementation of VoIP protocols over the past couple of months as well.
MSI has been saying that VoIP vulnerabilities were going to start popping up, for some time now. If I remember correctly, we started addressing this in our State of the Threat presentations about a year and a half ago. Over that time we’ve seen significant progress in the tools that have been developed to assist in managing VoIP deployments. While those tools have helped a lot of companies with their VoIP implementations, we’ve also seen them introduce unintended risks into their environments. We’ve also seen many more much more nefarious tools that are allowing attackers to gain access to the VoIP system. And if you consider how useful fuzzing has become at identifying unknown problems in network traffic and applications, the sky is the limit when trying to determine where VoIP vulnerability research is going to end up. That is why MSI is ecstatic to have been approached by several different entities to perform VoIP Risk Assessments on their VoIP systems.
While a VoIP specific Risk Assessment may be a fairly new thing, the premise is not. It’s simply a way of applying a proven methodology to assess whether the new (or old) VoIP system hasn’t introduced unknown risks into the environment. The methodology that we use is very similar to our normal Risk Assessment of an Information Security Program, though there are some minor steps that had to be added and tweaked. The primary goal of these responsible organizations is to ensure that they are performing their due diligence by having a third party assess their VoIP implementations, and we applaud them for their initiative.