This was my first thought when I heard of the bash issue. Hopefully someone runs this with a noticeable payload (but not necessarily that malicious) to help wake people up.
OTOH, every single SIP stack I've tested is vulnerable to IP spoofing (due to the inane rules of SIP which make this attack very easy), yet IP auth is used extensively as the authentication system for wholesale VoIP traffic.
In addition, every VoIP system I've looked at as-a-whole has had all sorts of other vulnerabilities. Easy stuff, too, like "SQL injection on login form leading to full remote access to system". Vendors and customers pretty much don't seem to understand or care. One CTO of a successful SIP-based product said to me "Buffer overflows? That may be possible, but only if the network was very, very fast." His software handles many, many calls, had accidental remote backdoors, and is responsible for "securing" many many millions of dollars of telecom a month.
The telecom mindset seems wholly incapable of dealing with an environment such as the Internet.
But... end-user devices or "PBXes" have enough holes that attackers appear to be content to "smash-and-grab" for the most part. It doesn't seem like attackers are going after the "carriers" yet, although there's certainly enough money involved that someone stealing, say, 1% of a company's total volume would go unnoticed.
which gives white-hats the opportunity to patch your system without exploiting. The why I see it, a malicious person is going to exploit your server anyway. This way white-hats could patch your system and not be prosecuted. With this, someone who discovered the patch could scan the internet, look for servers that say "yes, please patch me" and deploy a quick patch and nothing else.
OTOH, every single SIP stack I've tested is vulnerable to IP spoofing (due to the inane rules of SIP which make this attack very easy), yet IP auth is used extensively as the authentication system for wholesale VoIP traffic.
In addition, every VoIP system I've looked at as-a-whole has had all sorts of other vulnerabilities. Easy stuff, too, like "SQL injection on login form leading to full remote access to system". Vendors and customers pretty much don't seem to understand or care. One CTO of a successful SIP-based product said to me "Buffer overflows? That may be possible, but only if the network was very, very fast." His software handles many, many calls, had accidental remote backdoors, and is responsible for "securing" many many millions of dollars of telecom a month.
The telecom mindset seems wholly incapable of dealing with an environment such as the Internet.
But... end-user devices or "PBXes" have enough holes that attackers appear to be content to "smash-and-grab" for the most part. It doesn't seem like attackers are going after the "carriers" yet, although there's certainly enough money involved that someone stealing, say, 1% of a company's total volume would go unnoticed.