Warning of critical vulnerabilities in Cisco telephony devices

The National Cyber Security Centre SK-CERT is warning of vulnerabilities in Cisco telephony devices that could be exploited by remote unauthenticated attackers for arbitrary code execution (ACE) or denial of service (DoS).

Critical vulnerabilities identified by CVE-2023-20078 and CVE-2023-20079 could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service.

Critical vulnerabilities CVE-2023-20078 and CVE-2023-20079 achieve a CVSS score of 9.8.

Cisco telephone devices are very popular and widely used in various types of organizations in Slovakia. It can be expected that the vulnerabilities mentioned above will be exploited by attackers.

Exploitation scenarios

Due to the specific type of vulnerable devices, SK-CERT foresees the following possible exploitation scenarios:

  • interception of telephone calls – since the affected devices are IP phones, it is possible to expect interception of calls in several ways, including redirection of telephone communication to an IP PBX under the control of the attacker,
  • eavesdropping on communications both in the room and outside the phone call – IP phones can open a call with a speakerphone even without ringing or user action,
  • automated calls to paid lines – compromised devices can initiate calls to paid foreign phone numbers, with high financial implications,
  • Unobserved monitoring of an organisation’s activities and conducting further attacks – as devices of this type are usually not monitored, they can be used to launch further attacks on an organisation,
  • participation of devices in a botnet – vulnerabilities of this type have often been exploited in the past so that compromised devices have started attacking other targets, as they have been infected with malicious code that has placed them in a botnet,
  • there are also many other imaginable scenarios of exploitation, including disabling telephone services. This can be particularly critical given the disabling of even calls to emergency lines.

Affected devices

Products affected by vulnerability CVE-2023-20078:

IP Phone 6800 series with multiplatform firmware
IP Phone 7800 series with multi-platform firmware
IP Phone 8800 series with multi-platform firmware

Products affected by CVE-2023-20079:

IP Phone 6800 series with multiplatform firmware
IP Phone 7800 series with multiplatform firmware
IP Phone 8800 series with multiplatform firmware
IP Conference Phone 8831
IP Conference Phone 8831 with multiplatform firmware
IP Phone 7900 Series

Cisco has released a software update that fixes the described vulnerabilities.

In connection with these vulnerabilities, the National Cyber Security Centre SK-CERT advises all users who are using products with the vulnerable version to:

  • immediately update the firmware of the above mentioned devices to the latest available version,
  • after the update, change all passwords on both telephones (administration) and VoIP service (voice),
  • check network logs, focusing on suspicious network activity from the phones prior to the time of the upgrade,
  • operated the phones on a separate VoIP network, blocked access from that network to the Internet (including DNS translations), and did not, under any circumstances, access the phones at public IP addresses,
  • also regularly updating IoT devices,
  • introduced monitoring of network activity of phone devices.

If you detect a cyber security incident, be sure to report it to the National Cyber Security Centre SK-CERT at [email protected].

Resources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP


« Späť na zoznam