Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

Summary

• Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.
  
  This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.
  
  Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device.
  
  Mitigations are available to help reduce the attack surface of affected devices. See the "Details" section of this security advisory and the accompanying Cisco Applied Mitigation Bulletin (AMB) for additional information.
  
  Update (November 3rd, 2014):
  Updated software that resolves the vulnerability described in this document has been released. This release is generally available and can be downloaded from the product-specific support areas on Cisco.com. The release version is 9.4(2).
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Affected Products

• The vulnerability affects the Cisco Unified IP Phones 7900 Series, also known as TNP phones.

  Vulnerable Products

  The following Cisco Unified IP Phones 7900 Series devices are affected by the vulnerability documented in this advisory:
  

  • Cisco Unified IP Phone 7906
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7975G

  Products Confirmed Not Vulnerable

  The following Cisco Unified IP Phones 7900 Series devices are not affected by the vulnerability documented in this advisory:
  

  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7912G
  • Cisco Unified IP Phone 7940
  • Cisco Unified IP Phone 7960
  • Cisco Unified IP Phone 7985G
  • Cisco Unified Wireless IP Phone 7920 Versions 1/2/3
  • Cisco Unified Wireless IP Phone 7921G
  • Cisco Unified Wireless IP Phone 7925G
  • Cisco Unified Wireless IP Phone 7925G-EX
  • Cisco Unified Wireless IP Phone 7926G
  • Cisco Unified IP Conference Station 7935
  • Cisco Unified IP Conference Station 7936
  • Cisco Unified IP Conference Station 7937G

  
  No other Cisco products are currently known to be affected by this vulnerability.

Details

• Several models in the CiscoUnified IP Phones 7900 Series contain an input validation vulnerability that could allow a local, authenticated attacker to manipulate arbitrary areas of memory within the device. This is due to a failure to properly validate user-supplied parameters that are passed to kernel system calls. Multiple access vectors have been identified whereby an attacker could gain local access to the device. An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device, or remotely by first authenticating to the device via SSH. After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default.
  
  Public Demonstrations
  
  This issue has been publicly demonstrated at several venues. In each demonstration, the devices that are used appear to be unprovisioned phones running an affected version of the Cisco Unified IP Phone software. The demonstrations use a physical attack vector to compromise the phone via a local serial port to place a modified binary on the device, which could then be used to manipulate arbitrary regions of kernel memory by exploiting this issue.
  
  In the demonstrations, the handset microphone is enabled while the handset is in the on-hook position (handset in the cradle). The high-gain area microphones on the TNP devices are electrically connected to the speakerphone active indicator and cannot be bypassed through software manipulation. On the 79x1 Series devices, the handset microphone is controlled by software and the General Purpose Input/Output (GPIO) channels on the audio codec, which allows the microphone to be activated and the display indicators on the handset to be bypassed.
  
  The 79x2 and 79x5 Series devices are designed to provide additional protections by electrically connecting the handset microphone to the off-hook switch, which prevents the microphone from being activated without any indication.
  
  Postulated Remote Attacks
  
  In addition to the physical attack vector, multiple network-based attacks have been postulated that leverage certain behaviors of the Cisco Unified IP Phone. Thus far, the attacks have been predicated on exploiting the use of TFTP. TFTP is an unsecured transport protocol that operates over UDP and is susceptible to spoofing attacks. Cisco recognizes that TFTP is unsecured and has enabled administrators to cryptographically secure phone configuration files transferred over TFTP in Cisco Unified Call Manager Version 5.0 and later. Additionally, in version 8.0(1) and all subsequent releases, Cisco instituted a secure-by-default policy. These releases sign device configuration files by default and disable both the SSH and web daemons on the phones. Signing and encrypting device configuration files prevents an attacker from tampering or replacing these files by spoofing a TFTP server or server response. This is accomplished by verifying the cryptographic signature of these file before they are used by a device.
  
  In addition to these default protections, Cisco provides a comprehensive design guide for all voice network deployments. This includes suggested security feature configurations on intermediate and edge devices to prevent spoofed traffic from being passed on the voice network as well as the isolation and segregation of voice traffic from general network traffic. Security information for Cisco Unified Communications Manager Version 9.0 is available at the following link: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/security.html
  
  Cisco recognizes that while a number of network, device, and configuration-based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices. To this end, Cisco has conducted a phased remediation approach, which started with an intermediate Engineering Special software release for affected devices, that mitigates known attack vectors for the vulnerability documented in this advisory. This software release was available upon request from the Cisco Technical Assistance Center (TAC). Additional enhancements will follow in a Service Release that was posted on Cisco.com on February 14, 2013.
  
  The final remediation of this vulnerability has been made available as part of the 9.4(2) general availability software release for affected devices. The software was posted to Cisco.com in September 2014.
  
  This vulnerability is documented in Cisco bug ID CSCuc83860 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-5445.
  
  Software Hardening
  
  Changes have been made to the affected software to harden it against unauthorized access. The following changes have been made:
  

  • Disable the local console port on affected devices.
    • This change removes the ability to gain access to the command line of an affected device by physically accessing the AUX/Console port on the phone.

  • Remove the default user shell.
    • The interactive Unix-like shell has been removed from the affected devices. If SSH has been enabled, and a user successfully authenticates, the only shells available are the debug and log options.

  These changes have been documented in Cisco Bug ID CSCue04937 (registered customers only).
  
  Additional hardening measures have been made in the 9.3(1)SR2 service release. The following change has been made:
  

  • SSH authorized_keys file is no longer sent to phones
    • This change removes the ability to authenticate to a phone via SSH keys only. When SSH is enabled, administrators will need to authenticate via Username and Password as defined in a device's profile.

  These changes have been documented in Cisco Bug ID CSCue04970 (registered customers only).

Workarounds

• Administrators are advised to read and implement the mitigations found in the following Applied Mitigation Bulletin. If Cisco Unified IP Phones are not deployed on a Cisco infrastructure, administrators should at minimum consider deploying encrypted configurations and ensuring that SSH has been disabled. Configuration files from Cisco Unified Communications Manager Version 8.0(1) and later are signed by default for all affected Cisco Unified IP Phones 7900 Series devices.

  Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability" at the following link:
  http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27763

Fixed Software

• Cisco has released software version 9.4(2) that remediates the vulnerability described in this document. Release notes for this update can be found here: Cisco Unified IP Phone 7900 Series Release 9.4(2)
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.
  
  This vulnerability was reported to Cisco by Ang Cui, Columbia University.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Revision History

• Revision 1.4	2014-November-03	Updated Summary and Software Versions and Fixes Section to indicate the release of version 9.4(2), which remediates the core vulnerability.
  Revision 1.3	2013-March-27	Corrected Revision History table for Revision 1.2. Incorrect year had been given.
  Revision 1.2	2013-February-14	Added information regarding the release of general service release 9.3(1)SR2. Added additional hardening information to Details section.
  Revision 1.1	2013-January-17	Added information about Engineering Special release 9.3(1)-ES11.
  Revision 1.0	2013-January-09	Initial public release

  Show Complete History...