Cisco Unified IP Phones Multiple Vulnerabilities (cisco-sa-20110601-phone)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote IP telephony device is missing a vendor-supplied patch.

Description :

According to its self-reported version, the version of the Cisco
Unified IP Phone software running on the remote device has the following
vulnerabilities :

- Cisco Unified IP Phones 7900 series are prone to
privilege escalation vulnerabilities. An authenticated
attacker could exploit this issue to perform
unauthorized phone configuration changes or to gain
access to sensitive information. (CVE-2011-1602,
CVE-2011-1603)

- Cisco Unified IP Phones 7900 series are prone to a
security bypass vulnerability. An attacker can exploit
this issue to bypass the signature-verification
mechanism. Successful exploits could allow an
authenticated attacker to load a crafted software image
with no signature verification. (CVE-2011-1637)

See also :

http://www.nessus.org/u?889b4785

Solution :

Apply the relevant update referenced in Cisco Security Advisory
cisco-sa-20110601-phone.

Risk factor :

Medium / CVSS Base Score : 6.6
(CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 5.5
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CISCO

Nessus Plugin ID: 70095 ()

Bugtraq ID: 48074
48075
48079

CVE ID: CVE-2011-1602
CVE-2011-1603
CVE-2011-1637