12-20-2012 08:43 AM - edited 03-16-2019 02:49 PM
http://spectrum.ieee.org/computing/embedded-systems/cisco-ip-phones-vulnerable
Does anyone know what version of patch fixes this?
12-20-2012 09:27 AM
The bug id is CSCuc8386.
CNU Kernel System Call Privilege Escalation Vulnerability | |
Symptoms: Cisco Unified IP Phone 7900 series devices also referred to as Cisco TNP Phones contain an input validation vulnerability. A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.The following Cisco Unified IP Phone devices are affected: Cisco Unified IP Phone 7975G Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7965G Cisco Unified IP Phone 7962G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7945G Cisco Unified IP Phone 7942G Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7931G Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906The following models have reached end-of-life (EOL) status (for hardware only): Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7906Refer to the following link to determine what product upgrade and substitution options are available: http://www.cisco.com/en/US/products/hw/phones/ps379/prod_eol_notices_list.htmlConditions: Cisco Unified IP Phones within the 7900 Series running a version of Cisco IP Phone software up to and including 9.3.1-ES10 are affected. Fixed software is forthcoming.Workaround: Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.Further Problem Description: This issue was reported to Cisco PSIRT by Ang Cui of Columbia University. Cisco PSIRT would like to thank Ang and his staff for working with Cisco to resolve this issue.PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:CCVE ID CVE-2012-5445 has been assigned to document this issue. |
12-20-2012 09:29 AM
Careful. While it states "Fixed-In 9.3(1)ES10", the conditions section states "up to and including 9.3.1-ES10 are affected. Fixed software is forthcoming."
01-04-2013 12:01 PM
Actual Cisco bug ID is: CSCuc83860
01-10-2013 02:48 AM
Workaround:
Restrict SSH and CLI access to trusted users only
Is there any comment about Call Manager Express? Any guideline on how to disable the SSH on the phones registered on a CUCME?
01-10-2013 04:34 AM
Hi George,
I've answered this question on the other post:
https://supportforums.cisco.com/message/3825042#3825042
Regards,
Harmit.
01-10-2013 06:11 AM
I'm a little curious how disabling/securing ssh access to endpoints protects against an exploit involving a physical connection to the rs232 ports of the endpoints as demonstrated in the above linked to video.
01-10-2013 06:30 AM
Hi Will,
This presentation by Ang is alot more detailed. I haven't
quite wrapped my head around the whole thing yet, but
that's no suprise
http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html
Cheers!
Rob
"Far away from your trouble and worry
You belong somewhere you feel free" - Tom Petty
01-10-2013 06:53 PM
01-10-2013 06:41 AM
The exploit currently requires a CLI onto the phone. A CLI can be accessed either via the Aux port (so phones like 7911s are immune) or via SSH. As SSH authentication is "interesting" on the phones, it's not impossible to break in over the net.
So by disabling SSH, you can prevent the attack in it's current form.
The fix will be in some version of 9.3. In the release notes for the first versions of 9.3, there is a bug whereby CDP was broken on some 79xx phones. Just make sure you read the release notes before applying about updates
GTG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide