Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Cisco confirms vulnerability in 7921 Wi-Fi IP phone
From: "George Ou" <george.ou () techrepublic com>
Date: Sat, 23 Feb 2008 16:00:06 -0800

Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security
bypass vulnerability, I received confirmation from Cisco that their
7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital
certificates aren't cryptographically verified.  Both Cisco and Vocera
have told me that they intend to fix future implementations of PEAP and
do the necessary steps to ensure certificate authenticity.  Cisco
released the following statement.

"Cisco confirms that the Cisco wireless IP phone model 7921 does not
currently validate server certificates when configured to use PEAP
(MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is
planning a long term solution to enable the option of client-side
validation of server certificates with PEAP; however, we do not
currently have a time line for when a software upgrade will be
available. To work around the problem, administrators can configure
EAP-TLS as an alternative to PEAP while ensuring mutual client-server

Details at http://blogs.zdnet.com/security/?p=901

George Ou, CISSP
ZDNet Editor at Large (CNET Networks)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Cisco confirms vulnerability in 7921 Wi-Fi IP phone George Ou (Feb 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]