Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
5
Helpful
2
Replies

Dangerous default, bill fraud may occur

Dan Lukes
VIP Alumni
VIP Alumni

‎09-14-2013 02:29 AM - edited ‎03-21-2019 07:46 AM

There is remote control API avaiable on every phone on http://<ip>/CGI/Execute

It allow remote user to order the phone to dial any number, you can simulate key press, e.g. you can change anything accesible via phone menu and so on.

Such API is open by default in SIP mode - no authentication is required.

Such API is not mentioned in Administrator guide, so admin may not be aware of it. As result - any attacker with physical access to ethernet plug connected to phone network can order any other phone connected to such network to dial any number. As it's documented nowhere, most networks didn't  changed default to something more secure. Bill fraud is immitent.

Access to /CGI/Execute can be restricted by 'CISCO_XML_EXE_Auth_Mode' option, but it's not documented. Unauthorized description based on observations can be read here: CiscoIPPhoneExecute Dial but note that it will broke access to WWW UI, see Broken WWW UI on SPA504G

All SPA5xx, SPA3xx, SPA1xx and SPA2xx with current firmware seems to be affected by the issue (it doesn't mean that older firmwares are not vulnerable, I just didn't do test on them).

Workaround:

  1.   disable all inter-phone network conectivity on switch (our way, it require switch it can do it)
  2.   configure CISCO_XML_EXE_Auth_Mode value (but WWW UI become unusable then)

Because bill fraud may occur, it needs to be considered severe security incident.

Phones in SPCP mode has not been analyzed.

Labels:
0 Helpful
2 Replies 2

Dan Lukes
VIP Alumni
VIP Alumni

‎04-14-2015 05:59 AM

The Broken WWW UI issue has been solved in 7.5.6 firmware.

But API is still wide open by default making phone to be vulnerable.

 

See also: Bug in the latest spa3XX-5XXG phone firmware 7.5.6 - Can not transfer anonymous calls

 

Updated: see CSCuo52482, seems to be solved in 7.5.7s

 

Dan Lukes
VIP Alumni
VIP Alumni
In response to Dan Lukes

‎01-07-2017 08:55 AM

Note that default value of CISCO_XML_EXE_Auth_Mode has been changed from Trusted to Local Credential in 7.5.7s firmware.

Also, CISCO_XML_EXE_Enable with default value of No has been introduced in the same version.

See also: Added/removed/changed XML tags between N and M firmware of SPA50x

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents