Cisco Systems is urging customers to update several models of their IP phones after issuing patches for five high-severity flaws found in its popular business-focused IP phones.
Impacted are Cisco’s IP Phone 8800 series, which are business desk phones that have HD video included and its IP Phone 7800 series, which are meant for desktops and conference rooms in businesses. The vulnerabilities could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack, launch denial of service attacks or write arbitrary files to the targeted device’s filesystem.
Cisco released the patches on Wednesday adding the most serious of these flaws is a cross-site request forgery vulnerability found in the Cisco IP Phone 8800 series. Cross-site request forgery is an attack that forces an end user to execute unwanted actions (changing their email, transferring funds, etc.) on a web application in which they’re currently authenticated.
The vulnerability (CVE-2019-1764) has a CVSS score of 8.1, and stems from insufficient cross-site request forgery protections for the web-based management interface of the phone’s software.
Cisco said that a remote, unauthenticated attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a special crafted link: “A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user,” according to the advisory.
Another serious vulnerability in the IP Phone 8800 series is a path traversal flaw (CVE-2019-1765) which has a CVSS score of 8.1.
This flaw also exists in the web-based management interface of the phone’s software, and could allow an authenticated, remote attacker to write arbitrary files to the filesystem, Cisco said.
“The vulnerability is due to insufficient input validation and file-level permissions,” said Cisco. “An attacker could exploit this vulnerability by uploading invalid files to an affected device. A successful exploit could allow the attacker to write files in arbitrary locations on the filesystem.”
The IP Phone 8800 series running Session Initiation Protocol (SIP) Software prior to version 11.0(5) (for Wireless IP Phone 8821-EX), or version 12.5(1)SR1 (for the IP Conference Phone 8832 and the rest of the IP Phone 8800 Series), are vulnerable to both these flaws and can upgrade to those latest versions.
The Cisco IP Phone 8800 series also has a file upload denial of service flaw in the web-based management interface feature of its software. The vulnerability (CVE-2019-1766), which has a CVSS score of 7.5, could allow a remote attacker to cause high disk utilization, resulting in denial of service.
That’s because the impacted software does not restrict the maximum size of certain files that can be written to disk – so an attacker who has valid administrator credentials for an affected system could exploit the flaw by sending a crafted, remote connection request to an affected system.
“A successful exploit could allow the attacker to write a file that consumes most of the available disk space on the system, causing application functions to operate abnormally and leading to a DoS condition,” said Cisco. Cisco said that IP Phone 8800 series products running a SIP Software release prior to 12.5(1)SR1 are impacted and should upgrade.
Cisco also patched an authorization bypass vulnerability (CVE-2019-1763) in its IP Phone 8800 series, which could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and launch a denial of service attack.
“The vulnerability exists because the software fails to sanitize URLs before it handles requests,” according to Cisco. “An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to critical services and cause a DoS condition.”
Finally, Cisco patched a remote code execution flaw in its IP Phone 7800 series and 8800 series, which could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. Because the phones’ software improperly validates user-supplied input during user authentication, an attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials.
“A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user,” said Cisco.
The patches come a week after Cisco fixed a critical vulnerability allowing adversaries to access monitoring system used for gathering info on operating systems and hardware.