03-22-2013 10:38 AM - edited 03-16-2019 04:24 PM
Hello to everybody!
i have been audited by a network security company and in the results appeared that the ip phones model 3905 has a security vulnerability.
Here is the description of the vulnerability
Port Vulnerability Name Vulnerability Risk
7870 BusyBox Built-in Shell High
Vulnerability Description
This host allows unrestricted access to the BusyBox built-in shell. This shell provides a variety of remote management features for Linux based OSes.
Impact:
An attacker can obtain information from this host which could be used to further compromise this or other hosts on the network. Additionally, an attacker may be able to use this access to reconfigure this host.
Vulnerability Solution
Disable the BusyBox built-in shell unless it is specifically required for business purposes. If the BusyBox built-in shell is required, restrict access to it to authorized hosts only via host or network based access controls.
Cisco Ip Phone Model: 3905
SIP
Firmware version: 3905.9-2-1-0 |
I have done a research but i didn´t found any useful information to mitigate this vulnerability or how to disable BusyBox built-in shell in the phone.
I hope someone can help me with this
Regards!
03-22-2013 10:17 PM
Hello Victor,
As far as I could understand and find out, the BusyBox Built-in Shell is a Linux feature and not sure why the scanner is picking it up on an IP Phone. Has the auditor been able to pick-up the same feature in any other Cisco IP Phone model too?
Now, to ensure the safety of your network from any malicious attack attempts, follow the leading practice recommendations to lock down a phone from CUCM phone webpage (settings access, PC vice VLAN and SSH disable etc.) and from network by not allowing any traffic except from phone to UC servers and vice-versa. All in all, lock down the device and ensure nothing except from what should have access to voice VLAN should be part of user access layer.
I would recommend reading Chapters 6, 7, 9, and 15 of Securing Cisco IP Telephony Networks
http://www.ciscopress.com/title/1587142953 to understand the various attack vectors and attack surface for endpoints and to remediate any security issues.
Regards,
Akhil Behl
Solutions Architect
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953
03-25-2013 09:10 AM
Hello Akbehl
Yes i found that the BusyBox Built-in in Shell is Linux Feature i'm not a Linux expert i just Know the basics after a research i couldn't find nothing related to this phone or why the scanner detect it as a threat. The auditor detected this threat only on ip phones 3905 model.
I will perform your recommendations i hope accomplish with the security requirements in the next network scan.
Thanks
Regards!
03-25-2013 09:29 AM
I've just pulled a 3905 off the shelf and tried it. Sure enough, port 7870 has Busybox listening on it.
I've checked the device settings, and Telnet is disabled. SSH isn't an option on these phones. I think this needs raising as a security issue with TAC - urgently.
GTG
04-05-2013 09:09 AM
Hi Gordon
If you have disabled telnet in the phone configuration you cannot have telnet acces, but if you do a telnet to the ip of the phone through this port (7870)
You can get access to this Busy Box Built-in Shell, that is like a command shell i ignore the posible functions of this
shell.
I openned a case to ask about this
They told me that the way to mitigate this posible threat is by applying an access-list to block this port from data segments to voice segments
Also they mentioned that this port is not part of the phone functions
So i applied the access-list blocking this port, thats the way that i done it. Until today i have not presented
any unexpected issue
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: