Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses IT

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping 45

Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."
This discussion has been archived. No new comments can be posted.

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping

Comments Filter:
  • I'm not so sure I'd want to enable this feature.

  • https://web.nvd.nist.gov/view/... [nist.gov]

    The debug console interface on Cisco Small Business SPA300 and SPA500 phones does not properly perform authentication, which allows local users to execute arbitrary debug-shell commands, or read or modify data in memory or a filesystem, via direct access to this interface, aka Bug ID CSCun77435.

    Impact

    CVSS Severity (version 2.0):
    CVSS v2 Base Score: 6.9 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:C/A:C) (legend)
    Impact Subscore: 10.0
    Exploitability Subscore: 3.4

    CVSS Version 2 Metrics:
    Access Vector: Locally exploitable
    Access Complexity: Medium
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

  • Looks like a solution to this would be to have phones that support the IPv6, but not the IPv4 protocol. It would be next to impossible to scope the phone's address behind a firewall - the port scan would take forever.
    • by Himmy32 ( 650060 )
      Or the best practices of having these all on a separate subnet/VLAN that can only communicate with the call manager. That's why Cisco has marked this as a low threat because if you've configured your equipment right nothing else should really be able to communicate with the phone outside of the call manager.
      • by ledow ( 319597 ) on Monday March 23, 2015 @11:06AM (#49321003) Homepage

        "Hiding" the phones among the IPv6 ranges is just stupid and not "security" at all (literally, security by obscurity!).

        Even then, chances are that there's a range of consecutive IP's and just block-scanning through the IP's at random (say, scan every sensible address suffix because most people will start them on something sensible) will narrow it down quite quickly before you'll notice anything's happened. And chances are that most people will split at the usual boundaries, use the same IPv6 range (or the next one up) as their web servers are on, etc.

        As stated above, the phones themselves have NO need to be on a public network. Push them through a VPN or similar if you really must but they should be on their own VLAN anyway (so you can QoS them properly and easily) and they shouldn't require direct access to the Internet anyway (the voice gateway is another matter that's separately handled).

        But, better, stop buying, producing and selling devices that have debug interfaces that let you do ANYTHING on the device, remotely, without authentication. Because that's so dumb it's orders of magnitude more dumb than trying to hide your IP ranges in a IPv6 haystack.

  • Don't assume your typical non-military-grade-hardened phone is secure unless it's so-dumb-that-its-unhackable* or the phone resides on an isolated network over which you and only people you trust can see.

    Even if nobody knows how to compromise it today, you shouldn't assume someone won't figure out how to compromise it "tomorrow".

    * think "analog phone on a cross-bar switch" - but even that is subject to hacking, but few people have the skills to do more than a simple wiretap.

  • I also hear the sun is bright, and rain is wet.

    Who knew?

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...