Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week.
The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.
According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone.
Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said.
“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory.
Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited.
Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users.
The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems.
Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor.