CISA Alerts: May 1, 2024 – Cisco IP Phone Firmware Vulnerabilities

CISA Alert Highlights for May 1, 2024 - Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

How are Vulnerabilities Rated?

These latest cybersecurity vulnerabilities focus on Cisco IP Phones that have been recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These product vulnerabilities, targeting Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems have all been rated as medium to high-risk per the criteria listed below.

These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.

Vendor/Product:  Cisco IP Phones:
  • IP Phone 6800 Series with Multiplatform Firmware
  • IP Phone 7800 Series with Multiplatform Firmware
  • IP Phone 8800 Series with Multiplatform Firmware
  • Video Phone 8875 in Multiplatform Mode

Description: 

Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Cisco IP Phone DoS Vulnerability

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a DoS condition.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: CVE-2024-20376

Security Impact Rating (SIR): High

CVSS Score: 7.5

Cisco IP Phone Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.

This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: CVE-2024-20378

Security Impact Rating (SIR): High

CVSS Score: 7.5

Cisco IP Phone Unauthorized Access Vulnerability

A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device.

This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.

Note: The XML service is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: CVE-2024-20357

Security Impact Rating (SIR): Medium

CVSS Score: 5.3

Impact:  Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.

Published Date:  05/01/2024

Mitigation:  For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-multi-vulns-cXAhCvS

If you suspect you may have a vulnerability that you need help to mitigate, the cybersecurity team Spry Squared is standing by.

Posted in CISA Alerts Cybersecurity Cybersecurity Advisories Firmware Government IT Managed Services Managed IT Managed Service Provider Managed Services News Technology Vulnerability ManagementTags