SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionThe remote Cisco SPA100 Series device is affected by multiple vulnerabilities:
- Multiple remote code execution vulnerabilities. An authenticated attacker can cause a stack overflow leading to control flow change in the Cisco SPA 112/122 device. (CVE-2019-15240, CVE-2019-15241, CVE-2019-15242, CVE-2019-15243, CVE-2019-15244, CVE-2019-15245, CVE-2019-15246, CVE-2019-15247, CVE-2019-15248, CVE-2019-15249, CVE-2019-15250, CVE-2019-15251, CVE-2019-15252)
- An arbitrary file disclosure vulnerability. An unauthenticated attacker can read any file on the device and elevate local privilege. (CVE-2019-12704)
- Multiple privilege escalation vulnerabilites. An authenticated attacker can leak the administrator password hash to escalate local privilege. (CVE-2019-12708, CVE-2019-15257)
- A denial of service vulnerability. An authenticated attacker can crash the web service with a malformed request. (CVE-2019-12258)
SolutionUpgrade Cisco SPA100 Series to firmware version 1.4.1 SR5 or later.