Cisco Small Business IP Phones Open to Remote Eavesdropping

Cisco is warning customers about several vulnerabilities in some of its IP phones that can allow an attacker to listen in on users’ conversations. The bug affects the Cisco SPA 300 and 500 Series IP phones.

Cisco had confirmed the vulnerabilities, which were discovered by Chris Watts, a researcher at Tech Analysis in Australia, and is working on a new version of the firmware to fix the bugs.

“A vulnerability in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones could allow an unauthenticated, remote attacker to listen to the audio stream of an IP phone,” Cisco said in its advisory.

“The vulnerability is due to improper authentication settings in the default configuration. An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”

The vulnerability exists in version 7.5.5 of the firmware for the Cisco Small Business SPA500 IP phones. The fix for the bug is not yet available, but Cisco said it is preparing one. One mitigating factor for this vulnerability is that an attacker might need privileged access in order to exploit it.

“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the Cisco advisory says.

In addition to this bug, Watts discovered a pair of other flaws in Cisco products. One of the other vulnerabilities enables an XSS attack on the IP phones.

“A vulnerability in the web user interface of the Cisco Small Business SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack,” the advisory from Tech Analysis says. 

Suggested articles