Categories: Breaking NewsHackingSecurity

Some models of Cisco IP Phones vulnerable to eavesdropping

Chris Watts discovered a security flaw affecting some models of Cisco IP Phones that could be exploited to eavesdrop on conversations and make phone calls.

Some models of Cisco IP phones for small businesses are affected by a vulnerability, coded as CVE-2015-0670 that could be exploited by a remote attacker to eavesdrop on conversations and make phone calls from the vulnerable phones.

The security flaw was discovered by security research Chris Watts from Tech Analysis, which reported two other flaws (CVE-2014-3313 and CVE-2014-3312)impacting Cisco SPA300 and SPA500 series IP phones.

The CVE-2014-3313 vulnerability is a cross-site scripting (XSS) affecting the web user interface on Cisco Small Business SPA300 and SPA500 IP phones, the flaw could be exploited by attackers to remotely inject arbitrary web script or HTML via a crafted URL
The CVE-2014-3312 vulnerability can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312).

The last vulnerability discovered by the expert, the CVE-2015-0670, allows unauthenticated remote dial vulnerability affects version 7.5.5 and later versions of the models belonging to the Cisco Small Business SPA300 and SPA500 series IP phones.

“Cisco Small Business SPA 300 and 500 Series IP phones contain a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information. Updates are not available.” states the security advisory published by Cisco.

The exploitation of the vulnerability is quite simple, a remote unauthenticated attacker can exploit the flaw by sending a maliciously crafted XML request to the targeted IP phone. Threat actors could obtain sensitive information by eavesdropping audio streams from the phones.

“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory.

The attackers can also exploit the flaw to make phone calls remotely from a vulnerable phone.

“A successful exploit could be used to conduct further attacks,” Cisco said.

Despite Cisco has publicly disclosed the flaw, rating its exploitation as a medium severity, its users remain vulnerable to the attacks because the company hasn’t planned any update to fix the issue.

As possible safeguards, Cisco suggests administrators to enable XML Execution authentication in the configuration settings of affected devices and to allow only trusted users to have network. It is strongly suggested to protect vulnerable Cisco system from external attacks by using a firewall or access control lists (ACLs) to allow only trusted IPs to access the IP phones.

Pierluigi Paganini

(Security Affairs – CISCO IP phone, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.