Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High Severity Vulnerabilities in IP Phones

Cisco this week released security patches to address high severity vulnerabilities in its IP Phone 8800 Series and IP Phone 7800 Series. 

A total of five vulnerabilities were addressed, all impacting the web-based management interface of Session Initiation Protocol (SIP) Software of IP Phone 8800 Series. 

Cisco this week released security patches to address high severity vulnerabilities in its IP Phone 8800 Series and IP Phone 7800 Series. 

A total of five vulnerabilities were addressed, all impacting the web-based management interface of Session Initiation Protocol (SIP) Software of IP Phone 8800 Series. 

Tracked as CVE-2019-1765, the first vulnerability is a path traversal that could allow an authenticated, remote attacker to write arbitrary files to the filesystem. The issue is created due to insufficient input validation and file-level permissions and can be exploited by uploading invalid files to an affected device.

The second issue, CVE-2019-1766, could be exploited by an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The bug resides in the affected software not restricting the maximum size of certain files that can be written to disk. 

“An attacker who has valid administrator credentials for an affected system could exploit this vulnerability by sending a crafted, remote connection request to an affected system. A successful exploit could allow the attacker to write a file that consumes most of the available disk space on the system, causing application functions to operate abnormally and leading to a DoS condition,” Cisco explains

An authorization bypass (CVE-2019-1763) could be exploited to access critical services and cause a denial of service (DoS) condition. The vulnerability is caused by a failure to sanitize URLs before handling requests and can be triggered by submitting a crafted URL. 

The SIP software is also impacted by a Cross-Site Request Forgery (CVE-2019-1764) flaw, due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker can exploit the bug by tricking the user into following a crafted link. They can then perform arbitrary actions on a targeted device via a web browser and with the privileges of the user.

The fifth bug is a remote code execution vulnerability (CVE-2019-1716) impacting both IP Phone 7800 Series and IP Phone 8800 Series and caused by improper validation of user-supplied input during user authentication. 

Advertisement. Scroll to continue reading.

“An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user,” Cisco explains. 

Earlier this week, the company patched vulnerabilities in the Nexus 9000 Series ACI Mode Switch Software (a shell escape – CVE-2019-1591) and NX-OS Software (unauthorized filesystem access – CVE-2019-1601; denial of service – CVE-2019-1616; improper verification of digital signatures for software images – CVE-2019-1615; and command injection – CVE-2019-1613). 

Related: Default Account in Cisco CSPC Allows Unauthorized Access

Related: Cisco Patches Critical Vulnerability in Wireless Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.