Pierluigi Paganini April 17, 2020

Cisco released security patches to address numerous flaws in its products, including critical severity issues that affect IP Phones and UCS Director.

The critical vulnerability fixed by Cisco affects IP Phones and resides on the webserver, the flaw could be exploited by a remote, unauthenticated attacker to execute code with root privileges. The flaw, tracked as CVE-2020-3161, has been rated as a critical severity and received a CVSS score of 9.8.

“A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition.” reads the advisory published by Cisco.

“The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.”

The CVE-2020-3161 vulnerability is caused by the improper validation of HTTP requests, an attacker could exploit the issue by sending a crafted HTTP request to the web server of the vulnerable IP Phones.

“An unauthenticated remote attacker can trigger a stack-based buffer overflow by sending a crafted HTTP request to the /deviceconfig/setActivationCode endpoint.” reads the analysis published by Tenable, the company that reported the vulnerability.

“In libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked. When an attacker provides a long parameter string then sprintf overflows the provided stack-based buffer.”

Tenable also published a denial of service proof of concept for this issue on GitHub.

The issue affects the following Cisco products if they have web access enabled and are running a firmware release earlier than the first fixed release for that device:

• IP Phone 7811, 7821, 7841, and 7861 Desktop Phones
• IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821 and 8821-EX

Cisco pointed out that it is not aware of attacks exploiting the flaw in attacks in the wild.

Cisco also fixed three critical vulnerabilities, tracked CVE-2020-3239, CVE-2020-3240, and CVE-2020-3243, in Cisco UCS Director and UCS Director Express for Big Data. The flaws affect the REST API and could be exploited by a remote, unauthenticated attacker to bypass authentication or conduct directory traversal attacks.

“Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.” reads the advisory published by Cisco.

The issues exist due to insufficient access control validation and improper input validation. Cisco addressed the flaw by releasing UCS Director 6.7.4.0 and UCS Director Express for Big Data 3.7.4.0.

Cisco also addressed several high severity flaws affecting Wireless LAN Controller (WLC) Software, Webex Network Recording Player and Webex Player, Mobility Express Software, IoT Field Network Director, Unified Communications Manager (UCM) and UCM Session Management Edition (SME), and Aironet Series Access Points Software.

Pierluigi Paganini

(SecurityAffairs – IP Phones, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]