A vulnerability in the Cisco Small Business SPA300 and SPA500 Series IP Phones could allow an unauthenticated, local malicious user to access the debug shell and file system of the affected device. The vulnerability is due to insufficient authentication implementation in the debug console interface. An attacker could exploit this vulnerability by sending crafted commands to the debug interface of the affected device. An exploit could allow the malicious user to execute arbitrary commands and access system memory with elevated privileges. Cisco has confirmed the vulnerability in a security notice; however, software updates are not available. To exploit this vulnerability, an attacker must have local access to the targeted device. This access requirement may reduce the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
cisco spa941 4-line ip phone with 1-port ethernet |
||
cisco spa922 1-line ip phone with 1-port ethernet |
||
cisco spa 504g 4-line ip phone |
||
cisco spa 502g 1-line ip phone |
||
cisco spa901 1-line ip phone |
||
cisco spa 525g2 5-line ip phone |
||
cisco spa 501g 8-line ip phone |
||
cisco spa 303 3 line ip phone |
||
cisco spa 525g 5-line ip phone |
||
cisco spa 514g 4-line ip phone |
||
cisco spa 301 1 line ip phone |
||
cisco spa962 6-line ip phone with 2-port switch |
||
cisco spa942 4-line ip phone with 2-port switch |
||
cisco spa 512g 1-line ip phone |
||
cisco spa 509g 12-line ip phone |
||
cisco spa 508g 8-line ip phone |
Open phones may crop up on Shodan
Creeps can listen in to conversations placed over vulnerable Cisco small business phones. Remote eavesdropping requires a crafted XML request be sent to the Borg's SPA 300 and 500 IP phones. Cisco warns version 7.5.5 of the software powering the phones is vulnerable, possibly along with more recent iterations. "An unauthenticated, remote attacker could exploit this vulnerability to listen to a remote audio stream from an affected device or to gain access to make phone calls remotely," it says in...