Cisco warns of IP phone flaws

Article

Cisco warns of IP phone flaws

Bill Brenner, Senior News Writer
Attackers could circumvent security restrictions and compromise certain Cisco IP phones by exploiting a series of flaws, the networking giant warned Wednesday. Some of the problems have been fixed.

The first problem is with the Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices. The phones contain a hard-coded default user account with

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

a default password that's remotely accessible via a Secure Shell (SSH) server enabled on the phone.
Cisco in the news:
How to restrict traffic between the VPN server and remote Cisco clients

Cisco to acquire Reactivity for $135 million

Cisco routers threatened by drive-by pharming

Cisco fixes IOS flaws

Cisco bolsters security with IronPort buy

"This default user account may be leveraged to gain administrative access to a vulnerable phone via a privilege escalation vulnerability," Cisco warned. "The default user account may also execute commands causing a phone to become unstable and result in a denial of service."

The company has made free software available to address the flaws.

Researchers also found a series of flaws in the Cisco Unified IP Conference Station and IP phone devices.

According to Cisco:

  • It may be possible to access the Unified IP Conference Station administrative HTTP interface without authentication. "This vulnerability can be exploited remotely with no authentication and no user interaction," Cisco said. "If exploited, the attacker may alter the device configuration or create a denial of service." In a default configuration the attack vector is through TCP port 80, Cisco added.

  • Vulnerable Cisco Unified IP Phones contain a default username and password that may be accessed via SSH. "This vulnerability can be exploited remotely with no user interaction," Cisco said. "If exploited, the attacker may be able to modify the device configuration or perform additional attacks." The attack vector is through TCP port 22, the vendor added.

  • Affected Cisco Unified IP Phones contain privilege escalation vulnerabilities that allow local, authenticated users to obtain administrative access to the phone. "This vulnerability may be exploited remotely with authentication and no user interaction," Cisco said. "If exploited, the attacker may be able to modify the device configuration or cause a denial of service." The attack vector is through TCP port 22, the vendor said.

    The Cisco advisory offers a breakdown of the flaws it has fixed as well as those for which a patch is in development.

    In addition to the IP phone issues, the company said it has fixed a flaw in its Cisco Secure Services Client (CSSC). CSSC is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. A lightweight version of the CSSC client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) Framework solution.

    Cisco said these products are affected by multiple vulnerabilities, including privilege escalations and information disclosure.