Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3409
Views
12
Helpful
9
Replies

Thingp3wn3r

steve554365
Level 1
Level 1

‎12-20-2012 08:43 AM - edited ‎03-16-2019 02:49 PM

http://spectrum.ieee.org/computing/embedded-systems/cisco-ip-phones-vulnerable

Does anyone know what version of patch fixes this?

Labels:
0 Helpful
9 Replies 9

will.alvord
Level 5
Level 5

‎12-20-2012 09:27 AM

The bug id is CSCuc8386.

CNU Kernel System Call Privilege Escalation Vulnerability
Symptoms:
Cisco Unified IP Phone 7900 series  devices also referred to as Cisco TNP Phones contain an input validation  vulnerability.  A local, authenticated
attacker with the ability to  place a malicious binary on the phone could leverage this issue to  elevate their privileges or take complete control of the
device.

The  issue is due to a failure to properly validate certain system calls  made to the kernel of the device.  This failure could allow the attacker  to overwrite
arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected:
Cisco Unified IP Phone 7975G
Cisco Unified IP Phone 7971G-GE
Cisco Unified IP Phone 7970G
Cisco Unified IP Phone 7965G
Cisco Unified IP Phone 7962G
Cisco Unified IP Phone 7961G
Cisco Unified IP Phone 7961G-GE
Cisco Unified IP Phone 7945G
Cisco Unified IP Phone 7942G
Cisco Unified IP Phone 7941G
Cisco Unified IP Phone 7941G-GE
Cisco Unified IP Phone 7931G
Cisco Unified IP Phone 7911G
Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only):
Cisco Unified IP Phone 7971G-GE
Cisco Unified IP Phone 7970G
Cisco Unified IP Phone 7961G
Cisco Unified IP Phone 7961G-GE
Cisco Unified IP Phone 7941G
Cisco Unified IP Phone 7941G-GE
Cisco Unified IP Phone 7906

Refer to the following link to determine what product upgrade and substitution options are available:
http://www.cisco.com/en/US/products/hw/phones/ps379/prod_eol_notices_list.html

Conditions:
Cisco  Unified IP Phones within the 7900 Series running a version of Cisco IP  Phone software up to and including 9.3.1-ES10 are affected.  Fixed  software is forthcoming.

Workaround:
Restrict SSH and  CLI access to trusted users only.  Administrators may consider  leveraging 802.1x device authentication to prevent unauthorized
devices or systems from accessing the voice network.

Further Problem Description:
This  issue was reported to Cisco PSIRT by Ang Cui of Columbia University.   Cisco PSIRT would like to thank Ang and his staff for working with Cisco  to
resolve this issue.

PSIRT Evaluation:
The Cisco  PSIRT has assigned this bug the following CVSS version 2 score. The  Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2012-5445 has been assigned to document this issue.
0 Helpful

will.alvord
Level 5
Level 5
In response to will.alvord

‎12-20-2012 09:29 AM

Careful.  While it states "Fixed-In 9.3(1)ES10", the conditions section states "up to and including 9.3.1-ES10 are affected.  Fixed  software is forthcoming."

kwinstrand
Level 1
Level 1
In response to will.alvord

‎01-04-2013 12:01 PM

Actual Cisco bug ID is:  CSCuc83860

0 Helpful

Georgios Sotiropoulos (OLD)
Level 1
Level 1
In response to kwinstrand

‎01-10-2013 02:48 AM

Workaround:

Restrict SSH and  CLI access to trusted users only

Is there any comment about Call Manager Express? Any guideline on how to disable the SSH on the phones registered on a CUCME?

0 Helpful

Harmit Singh
Cisco Employee
Cisco Employee
In response to Georgios Sotiropoulos (OLD)

‎01-10-2013 04:34 AM

Hi George,

I've answered this question on the other post:

https://supportforums.cisco.com/message/3825042#3825042

Regards,

Harmit.

0 Helpful

will.alvord
Level 5
Level 5
In response to Harmit Singh

‎01-10-2013 06:11 AM

I'm a little curious how disabling/securing ssh access to endpoints protects against an exploit involving a physical connection to the rs232 ports of the endpoints as demonstrated in the above linked to video.

0 Helpful

Rob Huffman
Hall of Fame
Hall of Fame
In response to will.alvord

‎01-10-2013 06:30 AM

Hi Will,

This presentation by Ang is alot more detailed. I haven't

quite wrapped my head around the whole thing yet, but

that's no suprise

http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html

Cheers!

Rob

"Far away from your trouble and worry
You belong somewhere you feel free" - Tom Petty

Gordon Ross
Level 9
Level 9
In response to will.alvord

‎01-10-2013 06:41 AM

The exploit currently requires a CLI onto the phone. A CLI can be accessed either via the Aux port (so phones like 7911s are immune) or via SSH. As SSH authentication is "interesting" on the phones, it's not impossible to break in over the net.

So by disabling SSH, you can prevent the attack in it's current form.

The fix will be in some version of 9.3. In the release notes for the first versions of 9.3, there is a bug whereby CDP was broken on some 79xx phones. Just make sure you read the release notes before applying about updates

GTG

Please rate all helpful posts.
Customers Also Viewed These Support Documents