Synopsis
While conducting research on a Cisco Wireless IP Phone 8821, Tenable discovered a couple of vulnerabilities affecting numerous Cisco IP Phone models.
CVE-2020-3161: Unauthenticated Stack-Based Buffer Overflow
An unauthenticated remote attacker can trigger a stack-based buffer overflow by sending a crafted HTTP request to the /deviceconfig/setActivationCode endpoint. In libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked. When an attacker provides a long parameter string then sprintf overflows the provided stack-based buffer. This results in a crash of the device or could potentially allow for remote code execution.
A denial of service proof of concept can be found on our GitHub.
CVE-2016-1421: Unauthenticated Stack-Based Buffer Overflow
An unauthenticated remote attacker can trigger a stack-based buffer overflow by sending a crafted HTTP request to the /CGI/CallInfo endpoint. In libHTTPService.so, the parameters after /CGI/CallInfo are appended to a stack buffer using strcat. The length of the parameter string is not checked. When an attacker provides a long parameter string, strcat overflows the buffer. This results in a crash of the device or could potentially allow for remote code execution.
A denial of service proof of concept can be found on our GitHub.
During Tenable's original analysis, they noted the similarity of this vulnerability to CSCuz03016. However, Cisco's advisory described the vulnerability as requiring authentication, DoS only, and the Wireless IP Phone 8821 wasn't listed on the affected list. After disclosing to Cisco, they informed Tenable that the described bug was CVE-2016-1421 and subsequently updated their disclosure.
Solution
Upgrade to the following versions or later:
- IP Phone 78xx: 11.7(1)
- IP Phone 88xx: 11.7(1)
- Unified IP Conference Phone 8831: 10.3(1)SR6
- Wireless IP Phone 8821, 8821-EX: 11.0(5)SR3
Additional References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160609-ipp
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team