Ip phone 3905 Security Vulnerability BusyBox Built-in Shell

Victor_Gonzalez · ‎03-22-2013

Hello to everybody!

i have been audited by a network security company and in the results appeared that the ip phones model 3905 has a security vulnerability.

Here is the description of the vulnerability

Port Vulnerability Name Vulnerability Risk

7870 BusyBox Built-in Shell High

Vulnerability Description

This host allows unrestricted access to the BusyBox built-in shell. This shell provides a variety of remote management features for Linux based OSes.

Impact:

An attacker can obtain information from this host which could be used to further compromise this or other hosts on the network. Additionally, an attacker may be able to use this access to reconfigure this host.

Vulnerability Solution

Disable the BusyBox built-in shell unless it is specifically required for business purposes. If the BusyBox built-in shell is required, restrict access to it to authorized hosts only via host or network based access controls.

Cisco Ip Phone Model: 3905

SIP

Firmware version: 3905.9-2-1-0

I have done a research but i didn´t found any useful information to mitigate this vulnerability or how to disable BusyBox built-in shell in the phone.

I hope someone can help me with this

Regards!

Akhil Behl · ‎03-22-2013

Hello Victor,

As far as I could understand and find out, the BusyBox Built-in Shell is a Linux feature and not sure why the scanner is picking it up on an IP Phone. Has the auditor been able to pick-up the same feature in any other Cisco IP Phone model too?

Now, to ensure the safety of your network from any malicious attack attempts, follow the leading practice recommendations to lock down a phone from CUCM phone webpage (settings access, PC vice VLAN and SSH disable etc.) and from network by not allowing any traffic except from phone to UC servers and vice-versa. All in all, lock down the device and ensure nothing except from what should have access to voice VLAN should be part of user access layer.

I would recommend reading Chapters 6, 7, 9, and 15 of Securing Cisco IP Telephony Networks

http://www.ciscopress.com/title/1587142953 to understand the various attack vectors and attack surface for endpoints and to remediate any security issues.

Regards,

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Victor_Gonzalez · ‎03-25-2013

Hello Akbehl

Yes i found that the BusyBox Built-in in Shell is Linux Feature i'm not a Linux expert i just Know the basics after a research i couldn't find nothing related to this phone or why the scanner detect it as a threat. The auditor detected this threat only on ip phones 3905 model.

I will perform your recommendations i hope accomplish with the security requirements in the next network scan.

Thanks

Regards!

Gordon Ross · ‎03-25-2013

I've just pulled a 3905 off the shelf and tried it. Sure enough, port 7870 has Busybox listening on it.

I've checked the device settings, and Telnet is disabled. SSH isn't an option on these phones. I think this needs raising as a security issue with TAC - urgently.

GTG

Please rate all helpful posts.

Victor_Gonzalez · ‎04-05-2013

Hi Gordon

If you have disabled telnet in the phone configuration you cannot have telnet acces, but if you do a telnet to the ip of the phone through this port (7870)

You can get access to this Busy Box Built-in Shell, that is like a command shell i ignore the posible functions of this

shell.

I openned a case to ask about this

They told me that the way to mitigate this posible threat is by applying an access-list to block this port from data segments to voice segments

Also they mentioned that this port is not part of the phone functions

So i applied the access-list blocking this port, thats the way that i done it. Until today i have not presented

any unexpected issue