News Stay informed about the latest enterprise technology news and product updates.

Cisco IP phones vulnerable to eavesdropping; no patch available yet

Cisco says a vulnerability in some of its IP phones for SMBs could allow eavesdropping. A fix is not yet available, but Cisco has offered mitigation techniques.

A vulnerability has been found in two different sets of Cisco Systems Inc. IP phones, and the vendor says the flaw...

could allow attackers to remotely eavesdrop on phone calls.

Cisco has confirmed a vulnerability (CVE-2015-0670) in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones. The vulnerability is known to affect version 7.5.5 of the phones, but could also impact later versions.

According to the advisory, the vulnerability is due to improper authentication settings in the default configuration, and could potentially be exploited by sending a specially crafted XML request to the affected device.

If such an exploit were successful, the attacker could listen to the audio of a call, initiate phone calls remotely, or conduct further attacks.

Cisco downplayed the vulnerability, saying it is unlikely to be exploited, and noted that the likelihood of a successful exploit would be mitigated if an attacker also needed to penetrate a firewall of a trusted internal network before sending the crafted XML request.

Cisco has not yet released a software update for the affected devices and has not given a timetable for a release. It did, however suggest interim mitigation techniques, such as enabling XML execution authentication in the settings of affected devices, and considering IP-based access control lists (ACLs), which would only allow trusted systems to connect to affected devices.

Next Steps

Learn how Cisco IP phones can work with a Microsoft Lync Server.

Dig Deeper on Enterprise network security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your company use the affected Cisco IP phones?
Cancel
We haven't used these particular IP phones, and now that we know they are open to remote eavesdropping we're unlikely to trust them in the future.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close