Cisco IP phone vulnerability

Author	All Replies
rsaturns join:2004-12-06 Portland, OR 1 edit	Cisco IP phone vulnerability Just an FYI for people out there in the Cisco Voice world. This gem is out there. Good luck searching for the bug ID as well. »spectrum.ieee.org/computing/embe···lnerable • The bug id is CSCuc8386. CNU Kernel System Call Privilege Escalation Vulnerability Symptoms: Cisco Unified IP Phone 7900 series devices also referred to as Cisco TNP Phones contain an input validation vulnerability. A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device. The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory. The following Cisco Unified IP Phone devices are affected: Cisco Unified IP Phone 7975G Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7965G Cisco Unified IP Phone 7962G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7945G Cisco Unified IP Phone 7942G Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7931G Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906 The following models have reached end-of-life (EOL) status (for hardware only): Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7906 Refer to the following link to determine what product upgrade and substitution options are available: »www.cisco.com/en/US/products/hw/···ist.html Conditions: Cisco Unified IP Phones within the 7900 Series running a version of Cisco IP Phone software up to and including 9.3.1-ES10 are affected. Fixed software is forthcoming. Workaround: Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network. Further Problem Description: This issue was reported to Cisco PSIRT by Ang Cui of Columbia University. Cisco PSIRT would like to thank Ang and his staff for working with Cisco to resolve this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: »intellishield.cisco.com/security···:OF/RC:C CVE ID CVE-2012-5445 has been assigned to document this issue. -- »vinfotech.blogspot.com
	to forum · permalink · 2012-12-26 11:37:53 ·

Wily_One Premium join:2002-11-24 San Jose, CA	said by rsaturns: A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device. ...Yet still won't be able to make garble-/echo-/glitch-free voice calls over the network.
	to forum · permalink · 2012-12-26 14:52:42 ·
TomS_ Git-r-done Premium,MVM join:2002-07-19 London, UK kudos:4	I worked at a company that used Cisco IP phones, and they were perfectly silky smooth.
	to forum · permalink · 2012-12-26 17:27:17 ·
rsaturns join:2004-12-06 Portland, OR	Agreed, being a Cisco voice engineer the key is in the QoS design. QoS seems to be greatly over looked, or the hope of "Auto-QoS" will fix all seems to be alive and well. Know your QoS, know your LAN / WAN and VoIP is easy peasy regardless of product. -- »vinfotech.blogspot.com
	to forum · permalink · 2012-12-26 17:34:03 ·
nosx join:2004-12-27 00000 kudos:5	+1 to the QOS mandate for voice quality. There is great deal of knowledge lacking across the industry regarding the inner workings of priority queueing, the differences between strict priority and congestion aware LLQ, the need for congestion AVOIDANCE as well as congestion management technology and the insistance that any drop is bad regardless of what kind of packet got dropped. Auto-qos could be replaced by "match dscp ef; priority percent 90" and let er rip. It would be more beneficial in many environments lol
	to forum · permalink · 2012-12-28 00:15:35 ·
cramer join:2007-04-10 Raleigh, NC kudos:7	reply to rsaturns "Cui says they could also remotely compromise Cisco phones over the Internet." Only for phones run by absolute and complete idiots. Nobody in their right mind puts their VoIP phone network ON THE DAMN INTERNET. The call manager / IP PBX... YES, that will likely have a path to the internet, usually through one (or more) firewall(s); the phones will have ZERO direct internet access. His little hack requires local, AUTHENTICATED access to the phone. Most Cisco IP phones attached to a Cisco Call Manager will not have a default password. (I've made good money consulting to fix phones with unknown passwords.) (Also, I use older SCCP images that are VxWorks based. ) And another gem... he "recommends" removing the speakerphone mic -- which he freely admits makes no difference. Yes, let's void the warranty of all our phones disassembling them to remove the MIC, breaking the speakerphone functionality. (hint: in a business -- hell, in my own HOUSE -- people use their speakerphone.)
	to forum · permalink · 2012-12-31 20:09:26 ·
ladino join:2001-02-24 USA	reply to rsaturns I second Cramer... All the more reason to secure your voice devices just as much as your data traffic & deny them internet access. The only phones with any semblance of internet acccess should phones on phone proxy. Disable the MIC on the phone....hmm...he might as well have said unplug & don't use the phone
	to forum · permalink · 2013-01-01 16:24:45 ·
Grrrrrrr @in-addr.arpa	reply to rsaturns The bug ID above is wrong. The corrected ID is: CSCuc83860
	to forum · permalink · 2013-01-04 15:09:09 ·

Equipment Support > Hardware By Brand > Cisco > Cisco IP phone vulnerability