Some models of Cisco IP Phones vulnerable to eavesdropping

Chris Watts discovered a security flaw affecting some models of Cisco IP Phones that could be exploited to eavesdrop on conversations and make phone calls.

Some models of Cisco IP phones for small businesses are affected by a vulnerability, coded as CVE-2015-0670 that could be exploited by a remote attacker to eavesdrop on conversations and make phone calls from the vulnerable phones.

The security flaw was discovered by security research Chris Watts from Tech Analysis, which reported two other flaws (CVE-2014-3313 and CVE-2014-3312)impacting Cisco SPA300 and SPA500 series IP phones.

• The CVE-2014-3313 vulnerability is a cross-site scripting (XSS) affecting the web user interface on Cisco Small Business SPA300 and SPA500 IP phones, the flaw could be exploited by attackers to remotely inject arbitrary web script or HTML via a crafted URL
• The CVE-2014-3312 vulnerability can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312).

The last vulnerability discovered by the expert, the CVE-2015-0670, allows unauthenticated remote dial vulnerability affects version 7.5.5 and later versions of the models belonging to the Cisco Small Business SPA300 and SPA500 series IP phones.

“Cisco Small Business SPA 300 and 500 Series IP phones contain a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information. Updates are not available.” states the security advisory published by Cisco.

The exploitation of the vulnerability is quite simple, a remote unauthenticated attacker can exploit the flaw by sending a maliciously crafted XML request to the targeted IP phone. Threat actors could obtain sensitive information by eavesdropping audio streams from the phones.

“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory.

The attackers can also exploit the flaw to make phone calls remotely from a vulnerable phone.

“A successful exploit could be used to conduct further attacks,” Cisco said.

Despite Cisco has publicly disclosed the flaw, rating its exploitation as a medium severity, its users remain vulnerable to the attacks because the company hasn’t planned any update to fix the issue.

As possible safeguards, Cisco suggests administrators  to enable XML Execution authentication in the configuration settings of affected devices and to allow only trusted users to have network. It is strongly suggested to protect vulnerable Cisco system from external attacks by using a firewall or access control lists (ACLs) to allow only trusted IPs to access the IP phones.

Pierluigi Paganini

(Security Affairs –  CISCO IP phone, hacking)