Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.9
CVSSv2

CVE-2014-3312

Published: 09/07/2014 Updated: 29/08/2017
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
VMScore: 614
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Cisco

Vulnerability Summary

A vulnerability in the Cisco Small Business SPA300 and SPA500 Series IP Phones could allow an unauthenticated, local malicious user to access the debug shell and file system of the affected device. The vulnerability is due to insufficient authentication implementation in the debug console interface. An attacker could exploit this vulnerability by sending crafted commands to the debug interface of the affected device. An exploit could allow the malicious user to execute arbitrary commands and access system memory with elevated privileges. Cisco has confirmed the vulnerability in a security notice; however, software updates are not available. To exploit this vulnerability, an attacker must have local access to the targeted device. This access requirement may reduce the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cisco spa941 4-line ip phone with 1-port ethernet

cisco spa922 1-line ip phone with 1-port ethernet

cisco spa 504g 4-line ip phone

cisco spa 502g 1-line ip phone

cisco spa901 1-line ip phone

cisco spa 525g2 5-line ip phone

cisco spa 501g 8-line ip phone

cisco spa 303 3 line ip phone

cisco spa 525g 5-line ip phone

cisco spa 514g 4-line ip phone

cisco spa 301 1 line ip phone

cisco spa962 6-line ip phone with 2-port switch

cisco spa942 4-line ip phone with 2-port switch

cisco spa 512g 1-line ip phone

cisco spa 509g 12-line ip phone

cisco spa 508g 8-line ip phone

Vendor Advisories

Cisco: Cisco Small Business SPA300 and SPA500 Series IP Phones Local Code Execution Vulnerability
A vulnerability in the Cisco Small Business SPA300 and SPA500 Series IP Phones could allow an unauthenticated, local attacker to access the debug shell and file system of the affected device The vulnerability is due to insufficient authentication implementation in the debug console interface An attacker could exploit this vulnerability by sendin ...

Recent Articles

CREEPS rejoice: Small biz Cisco phones open to eavesdrop 0-day
The Register • Darren Pauli • 23 Mar 2015

Open phones may crop up on Shodan

Creeps can listen in to conversations placed over vulnerable Cisco small business phones. Remote eavesdropping requires a crafted XML request be sent to the Borg's SPA 300 and 500 IP phones. Cisco warns version 7.5.5 of the software powering the phones is vulnerable, possibly along with more recent iterations. "An unauthenticated, remote attacker could exploit this vulnerability to listen to a remote audio stream from an affected device or to gain access to make phone calls remotely," it says in...

Read more...

References

CWE-287http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3312http://www.securityfocus.com/bid/68465http://www.securitytracker.com/id/1030552https://exchange.xforce.ibmcloud.com/vulnerabilities/94421https://nvd.nist.govhttps://www.theregister.co.uk/2015/03/23/creeps_rejoice_small_biz_phones_open_to_evaesdrop_0day/http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140709-CVE-2014-3312
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversalCVE-2024-26978CVE-2024-26982wirelessCVE-2023-6949CVE-2024-26980CVE-2024-32766CVE-2024-26939cache poisoning
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook