-
Several vulnerabilities have been identified and repaired in Cisco IP Phones. One vulnerability allows unauthorized modification of the phone's configuration, while the remainders cause the phone to restart when certain types of network traffic are received.
Workarounds are available for some of the vulnerabilities. Cisco is offering free fixed software to address these vulnerabilities. Full details are available below and in the on-line copy of this document at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020522-ip-phone-vulnerability
-
CSCdw16714
CSCdw16720
CSCdw95128
CSCdv29136
The Cisco IP Phones are vulnerable to several network based Denial of Service (DoS) attacks including the well-known attacks for "jolt", "jolt2", "raped", "hping2", "bloop", "bubonic", "mutant", "trash", and "trash2". All of these defects were resolved by improving the ability of the IP Phone to resist high rates of traffic directed at the IP Phone.
CSCdw93296
CSCdx21102
The Cisco IP phones include a built-in web server on port 80. The server provides several pages of debug and status information about the phone. It is possible to modify an HTTP request to exploit an input validation vulnerability which results in the reinitialization of the IP phone.
CSCdx21108
The Cisco IP Phones store their configuration information locally and most of it is accessible through the "Settings" button on the phone. By default, these settings are locked (as indicated by a padlock icon in the mode title bar when viewing them) to prevent them from being changed accidentally. These settings may be modified via a trusted path key combination: '**#'. This is documented in the product manual and is not admin-configurable. Once unlocked, several fields can be reconfigured. Modification of the phone's configuration is very likely to go unnoticed, since a user never has to interact with the configuration menu where these changes were made. This will be resolved at a later date likely by a configuration option to control the ability to make local configuration changes at the keypad of the phone.
-
Denial-of-service attacks on the Cisco IP Phone can be mitigated by limiting or blocking IP traffic from untrusted sources. Exploitation of the web interface vulnerability can be provided by blocking access to port 80 via other devices on the network. The basic configuration of the Cisco IP Telephone can be protected by permitting physical access only by authorized users and network administrators.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Cisco IP Phone Firmware (fixes carry forward into all later versions)
CallManager Version Affected
First Fixed Firmware Release.
First Fixed CallManager Release.
3.0
P003J310
N/A
3.1
P00303010401
3.1(4)
3.2
P00303020203 (available 2002-05-29)
TBD
Cisco IP Phone SIP or MGCP Firmware (fixes carry forward into all later versions)
Version Affected
First Fixed Firmware Release.
POS3-03-1-00 and earlier
TBD
POM3-03-1-00 and earlier
TBD
-
The vulnerabilities described by CSCdx21102 and CSCdx21108 were originally reported to Cisco by Johnathan Nightingale. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2002-July-31
Change status from Interim to Final
Revision 1.0
2002-May-22
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.