Remote code execution in Cisco IP Phones
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU25008
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3111
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to missing checks when processing Cisco Discovery Protocol messages. A remote attacker on the local network can send a specially crafted Cisco Discovery Protocol packet to the targeted IP phone and execute arbitrary code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco IP Conference Phone 7832: before 12.7.1
Cisco IP Conference Phone 7832 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Conference Phone 8832: before 12.7.1
Cisco IP Conference Phone 8832 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 6821 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 6841 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 6851 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 6861 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 6871 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 7811: before 12.7.1
Cisco IP Phone 7821: before 12.7.1
Cisco IP Phone 7841: before 12.7.1
Cisco IP Phone 7861: before 12.7.1
Cisco IP Phone 7811 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 7821 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 7841 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 7861 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8811: before 12.7.1
Cisco IP Phone 8841: before 12.7.1
Cisco Wireless IP Phone 8851: before 12.7.1
Cisco IP Phone 8861: before 12.7.1
Cisco Wireless IP Phone 8845: before 12.7.1
Cisco IP Phone 8865: before 12.7.1
Cisco IP Phone 8811 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8841 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8851 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8861 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8845 with Multiplatform Firmware: before 11.3.1 SR1
Cisco IP Phone 8865 with Multiplatform Firmware: before 11.3.1 SR1
Cisco Unified IP Conference Phone 8831: 10.3.1
Cisco Unified IP Conference Phone 8831 for Third-Party Call Control: 9.3.4 SR3
Cisco Wireless IP Phone 8821: 11.0.5 SR1
Cisco Wireless IP Phone 8821-EX: 11.0.5 SR1
External linkshttp://packetstormsecurity.com/files/156203/Cisco-Discovery-Protocol-CDP-Remote-Device-Takeover.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
