Cisco has addressed a critical security vulnerability found in the web user interface of several IP phone models that unauthenticated and remote attackers can exploit in remote code execution (RCE) attacks.

The RCE flaw (CVE-2023-20078) allows attackers to inject arbitrary commands that will be executed with root privileges after successful exploitation.

“A successful exploit could allow the attacker to execute arbitrary commands on an affected device’s underlying operating system,” Cisco said. said Today.

The company also today disclosed a second high-severity vulnerability (CVE-2023-20079) that can be exploited to trigger denial of service (DoS) conditions.

Both bugs are due to insufficient validation of user-provided input and can be exploited using maliciously crafted requests sent to the targeted device’s web management interface.

The security flaws were discovered by Zack Sanchez of the Cisco Advanced Security Initiatives Group (ASIG) during internal security testing.

The list of affected devices includes Cisco IP Phone 6800, 7800, and 8800 series devices with cross-platform firmware (vulnerable to RCE and DoS attacks), as well as the Unified IP Conference Phone 8831, Unified IP Conference Phone 8831 with cross-platform firmware and the Unified IP Phone. 7900 series phone (only vulnerable to DoS attacks).

The company’s Product Security Incident Response Team (PSIRT) added that it has not seen evidence of attempts to exploit this security flaw in attacks.

Denial of service vulnerability remains unpatched

While Cisco has released security updates to address the CVE-2023-20078 RCE vulnerability, the company said it will not release patches to fix the CVE-2023-20079 DoS flaw.

“The Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process,” the company explained.

Cisco also announced in December that it would release patches for a high-severity zero-day vulnerability (CVE-2022-20968) with public exploit code found in the Cisco Discovery Protocol (CDP) processing feature of Cisco IP phones running 7800 and 8800 series firmware.

Although a security update for CVE-2022-20968 is not yet available, administrators are advised to disable CDP on affected IP phone devices that support Link Layer Discovery Protocol (LLDP) to remove the attack vector.

In February 2020, Cisco patched five additional RCE and DoS vulnerabilities in the Cisco Discovery Protocol, collectively known as CDPwn and potentially affecting tens of millions of enterprise devices.



Source link