[VOIPSEC] VoIP Vulnerabilities and Exposures (VVE) - (Was Re: Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities)

[Raul Siles]

Hi everybody,
Although we've not heard other thoughts from this list yet, meanwhile, I've
collected some details from the WVE guys that we can use as a reference:

Basically, WVE works on an all volunteer basis. The editors aren't paid
anything for working on the site, and although they do have some submissions
from non-editors, they come largely from them. Because of this it's not
really expected that editors put a lot of time into the project.

The main reason for them not to just petitioning the CVE to include more
wireless related entries was primarily because they wanted to catalog the
exploits relating to each vulnerability in addition to the vulnerability
itself. Additionally it allows them to include more descriptive information
about each vulnerability that CVE entries do not usually include.

We could follow the same idea and include the exploits too, or simply
reference the tools from the Tools List project (I initially would prefer
this option to simplify things). Obviously, it means that exploits not
implemented in any tool yet, would not exist (from the VVE or Tools List
perspective).

As was mentioned before, the quality of the result would be highly
influenced by having truly dedicated people doing it and $$$ involved.

Comments from anyone?
--
Raul Siles
GSE
www.raulsiles.com


On 4/6/07, Raul Siles <raul.siles at gmail.com> wrote:
>
> Dan,
> Thanks for the follow up on this, your comments and for splitting it up in
> a new thread :)
>
> I sent the message to voipsa at voipsa.org on April, 2 (perhaps it got lost
> in the SPAM filters, I'll resend it again).
>
> Re your comments:
> 1) This is one of the main reasons I asked the community about your
> concerns.
>
> The main benefit of a separate service is that we (VOIPSA) would have more
> control about specific VoIP vulns. and the information we want to include
> for each of them: we could refer to specific threats using the current
> Threat Taxonomy, tools that exploit the vuln from the Tools List, or
> mitigation strategies referring to the upcoming Best Practices document.
>
> I agree there is a drawback. Using the WVE (wireless) as an example, I
> know about problems that fit almost all the categories: only in CVE, only in
> WVE, in both (CVE and WVE).
>
> Having only 39 CVE entries dating back to 1999 related to VoIP reflects
> the issue :(
>
> How feasible would be to "work with the CVE folks" in an accurate and
> effective way to have all the entries and info we'd like in CVE? Based on
> that we could decide to create a new service or not.
>
> 2) As far as I know, the way it works for WVE is because there are some
> sponsors (that most probably invested some money there for the basic
> infrastructure, I don't know the exact details) and a good set of editors
> that enter or review the entries submitted by anyone in the community. I
> agree that to make it succeed and be a high-quality service, investment
> (economic and human) is required.
>
> WVE is a community effort nowadays: http://www.wve.org/info.
>
> Anyone has good contacts within CVE to see if we could provide some
> requisites for the VoIP entries and integrate that into the VoIPSA Web page?
>
> --
> Raúl Siles
> GSE
> www.raulsiles.com
>
> On 4/6/07, dan_york at mitel.com <dan_york at mitel.com> wrote:
> >
> > Raul,
> >
> > > Your comments and concerns are directly related with a topic I
> > privately
> > > suggested to VOIPSA a couple of days ago about VoIP-related
> > vulnerabilities
> > > (didn't hear from VOIPSA yet).
> >
> > To whom did you send it when you say you send it to "VOIPSA"?  Did you
> > just
> > send it to Dave Endler?  Or to several of us?  Generally Dave, Jonathan
> > or
> > I
> > respond to inquiries.  I know Jonathan is travelling but I don't know
> > Dave's
> > status - and I can't find any message in my inbox.  Please feel free to
> > send
> > it my way and I'll be glad to circulate it to the others.
> >
> > > My suggestion was related with the creation
> > > of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE
> > or
> > WVE
> > > but just focused on VoIP. I think VOISA should lead it. The VWE
> > service
> > > could apply a standard and homogeneous threat rating, as you wisely
> > suggest.
> >
> > It's an interesting idea and I like the concept, but I have two
> > thoughts:
> >
> > 1. Does it make sense to create a separate and new service?  Or should
> > we
> >    instead work with the CVE folks to ensure that VoIP vulnerabilities
> > are
> >    entered correctly there?  There are currently 39 CVE entries dating
> > back
> >    to 1999 related to VoIP -
> > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
> >    On the one hand, creating a separate service allows people to find
> > VoIP
> >    security information much easier.  On the other hand, it is now a
> >    separate body of information that can't be searched in an integrated
> >    fashion. (i.e. a search for a vendor's name on CVE would NOT turn up
> >    VoIP vulnerabilities... unless they were entered in both places,
> > which
> >    is now double the work for someone)
> >
> > 2. For VOIPSA to realistically launch and *maintain* an initiative like
> >    this, it seems to me that you would need people who are truly
> > dedicated
> >    to doing this.  We *might* be able to do it with very committed
> > volunteers,
> >    but I would wonder if we don't really some folks a bit beyond
> > volunteer
> >    level... perhaps student internships... perhaps part time staff...
> > all
> >    of which starts to involve $$$.  For us to be able to do that, we
> > have
> >    to make the transition to a paid membership organization that we have
> >    been talking about for a number of months now.
> >
> > It occurs to me that there might be a way to accomplish the VoIP focus
> > while
> > retaining the integration with the rest of the security
> > industry.  Perhaps
> > we
> > could work with the CVE folks to be able to extract and display the VoIP
> > vulnerabilities on a VOIPSA web page - but yet have the entries still
> > reside in the CDE database.  That way we could put a focus on the VoIP
> > vulnerabilities, yet leverage: a) the work and staff of the CVE project;
> > and
> > b) maintain the integration with all the other vulnerabilities.
> >
> > My 2 cents,
> > Dan
> >
> >
> >
> > --
> > Dan York, CISSP
> > Dir of IP Technology, Office of the CTO
> > Mitel       http://www.mitel.com
> > dan_york at mitel.com +1-613-592-2122
> > PGP key (F7E3C3B4) available for
> > secure communication
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>