Cisco Says It Can't Confirm PIX Flaw

After nearly two weeks of investigating a security researcher's claims of a vulnerability in its PIX 500 Series Security Appliances, Cisco on Tuesday said it hasn't been able to confirm that the flaw is real.

At the Black Hat conference earlier this month, Hendrik Scholz, a lead VoIP developer and systems engineer at Germany's Freenet Cityline, revealed an undisclosed flaw in the PIX 500 series related to how the appliances handle inspection of Session Initiation Protocol (SIP) messages. Perhaps wary of becoming this year's Mike Lynn, Scholz didn't provide details on how to exploit the flaw and pledged to work with Cisco after the event to fix the issue.

However, in a Tuesday advisory, Cisco's Product Security Incident Response Team (PSIRT) said it hasn't been able to determine whether the flaw is a valid one. "After extensive testing, Cisco has been unable to reproduce this issue and cannot confirm Mr. Scholz's claims," Cisco said in the advisory.

According to Cisco, Scholz claimed in his presentation that a specially crafted SIP message could be sent to the PIX that could open a User Datagram Protocol (UDP) connection to any device in the internal network, allowing an attacker to send UDP traffic to the internal device.

Cisco hasn't been able to create a vulnerable situation based on the description of the vulnerability Scholz presented at Black Hat or after the show. "Consequently, no defect has been filed, although we will continue to work with Mr. Scholz as we attempt to recreate the situation and validate his claims," Cisco said in the advisory.