Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Cisco Unified Communications (VoIP) Vulnerabilities: Update your IP phones! - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco Unified Communications (VoIP) Vulnerabilities: Update your IP phones!

Cisco has released a couple of security advisories covering vulnerabilities in their IP Phones and the Unified Communications Manager (UCM):

  • Cisco IP Phones present multiple and serious overflows and DoS vulnerabilities. It is time to update your VoIP phones! This issues affect phones using Skinny (SCCP) or/and SIP. The vulnerabilities affect several phone components, and the first four are specially relevant:
    • DNS (CVE-2008-0530): Malicious DNS responses may trigger a buffer overflow and execute arbitrary code on a vulnerable phone.
    • SSH ( CVE-2004-2486, old CVE): Buffer overflow on the phone SSH server that may allow remote code execution with system privileges.
    • SIP (CVE-2008-0528): Buffer overflow when handling MIME on SIP messages that may allow remote code execution.
    • SIP (CVE-2008-0531): Heap overflow when handling SIP challenge and response messages with the SIP proxy that may allow remote code execution.
    • ICMP (CVE-2008-0526): DoS due to large ICMP echo request packets (another ping of death!).
    • HTTP (CVE-2008-0527): DoS due to specially crafted HTTP requests to the phone HTTP server.
    • Telnet (CVE-2008-0529): Buffer overflow may allow privilege escalation.
  • Cisco UCM is vulnerable to SQL injection (CVE-2008-0026): An authenticated  user could access sensitive database information, such as usernames and password hashes, and call records, plus alter or delete call record
    information from the database. Update to UCM versions 5.1(3a) or 6.1(1a). The flaw is in the key parameter of either
    the admin or user interface page.

If you cannot immediately update your IP phones (please, do it asap!), disable the unused affected services on all your phones (what practically means disabling almost all ways of remotely managing the device: HTTP, SSH, Telnet...) or/and filter remote access to them using ACLs.


Raul Siles

152 Posts
Feb 15th 2008

Sign Up for Free or Log In to start participating in the conversation!