Cisco released security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products.
The flaw, tracked as CVE-2023-20078 (rated 9.8 out of 10), is a command injection issue that resides in the web-based management interface. The vulnerability is caused by the insufficient validation of user-supplied input.
An unauthenticated, remote attacker can exploit the vulnerability to execute arbitrary commands with the highest privileges on the underlying operating system.
“A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.” reads the advisory. “This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”
The IT giant also addressed a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2023-20079 (CVSS score: 7.5), impacting the same IP Phone series products.
The issue also impacts the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
“A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones, as well as Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series Phones, could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.” reads the advisory.
The root cause of the vulnerability is the insufficient validation of user-supplied input in the web-based management interface.
To fix CVE-2023-20078, Cisco recommends migrating Cisco Multiplatform Firmware version earlier than 11.3.7SR1 to a fixed release.
The company will not release updates to fix CVE-2023-20079 in Unified IP Conference Phone models because they entered end-of-life (EoL).
“Cisco has not released and will not release software updates to address the vulnerabilities that are described in CVE-2023-20079. Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products:” concludes the advisory.
The good news is that the Cisco PSIRT is not aware of any malicious exploitation attempts targeting the vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, IP Phone)