Menu
Cisco directs high priority patches for IP phone security exposures

Cisco directs high priority patches for IP phone security exposures

Tech giant warns on SIP vulnerabilities in 8800 and 7800 series IP business phones

Credit: Dreamstime

Cisco has advised customers using its 7800 and 8800 series IP phones they should patch a variety of high-priority vulnerabilities that could lead to denial of service and other security problems.

The tech giant issued five security advisories, four for the 8800 and one for both the 8800 and 7800 series of IP phones.

The 8800 is a high-end business desktop device that features high-definition video and mobile device integration. The 7800 is more of a general business IP phone.

The security advisories include a vulnerability in the web-based management interface of session initiation protocol (SIP) software for Cisco IP Phone 8800 Series, which could allow an authenticated, remote attacker to write arbitrary files to the filesystem, Cisco wrote.

According to the vendor, the vulnerability is due to insufficient input validation and file-level permissions. An attacker could exploit this vulnerability by uploading invalid files to an affected device.

Furthermore, a vulnerability exists in the web-based management interface of SIP software for Cisco IP Phone 8800 Series which could allow an authenticated, remote attacker to write arbitrary files to the filesystem.

The vulnerability is due to insufficient input validation and file-level permissions. An attacker could exploit this vulnerability by uploading invalid files to an affected device, Cisco said.

Thirdly, a weakness in the web-based management interface of SIP Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorisation, access critical services and cause a denial of service (DoS) condition.

The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL, Cisco explained.

Rounding off the list of threats, an exposure in the web-based management interface of SIP Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link, Cisco said.

Cisco said these vulnerabilities affect Cisco IP Phones running a SIP software release prior to 11.0 for Wireless IP Phone 8821-EX and release 12.5 SR1 for the IP Conference Phone 8832 and the rest of the IP Phone 8800 Series.

The last vulnerability impacts both phones. The problem is a weakness is in the web-based management interface of SIP software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition or to execute arbitrary code with the privileges of the app user.

Cisco wrote that the vulnerability exists because the software improperly validates user-supplied input during user authentication. An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials.

Cisco said that the weakness involves version 10.3 SR5 for Unified IP Conference Phone 8831; 11.0 SR3 for Wireless IP Phone 8821 and 8821-EX; and 12.5 SR1 for the rest of the IP Phone 7800 and 8800 Series.

Cisco said it has released free patches for all the advisories and suggests going here to see how to download them. 


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cisco

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments