Cisco patches critical RCE vulnerabilities in IP phones

Target Industry

Indiscriminate, opportunistic targeting.

Overview

– CVE-2023-20078 – Severity Level – Critical (CVSSv3 base score of 9.8): Compromise will result in the loss of confidentiality and integrity of data.
– CVE-2023-20079 – Severity Level – High (CVSSv3 base score of 7.5): Compromise will result in the loss of confidentiality and integrity of data.

Cisco has disclosed two security vulnerabilities that were detected in the Web UI for various IP phone models. Both security vulnerabilities have arisen as a result of insufficient validation of user-supplied input and can both be exploited by sending maliciously crafted requests to the targeted system’s web-based management interface.

Impact

– Successful exploitation of CVE-2023-20078 will allow a threat actor to inject arbitrary commands that will be executed with root privileges.
– Successful exploitation of CVE-2023-20079 will allow an unauthenticated, remote threat actor to cause an affected device to reload, resulting in a denial-of-service (DoS) condition.

Vulnerability Detection

Cisco has released the required security patches for the CVE-2023-20078 RCE vulnerability. However, they have not released patches to fix the CVE-2023-20079 DoS flaw. As such, previous versions are vulnerable to potential exploits.

Affected Products

CVE-2023-20078 affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware:

– IP Phone 6800 Series with Multiplatform Firmware
– IP Phone 7800 Series with Multiplatform Firmware
– IP Phone 8800 Series with Multiplatform Firmware

CVE-2023-20079 affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware or Cisco Unified Software:

– IP Phone 6800 Series with Multiplatform Firmware
– IP Phone 7800 Series with Multiplatform Firmware
– IP Phone 8800 Series with Multiplatform Firmware
– Unified IP Conference Phone 8831
– Unified IP Conference Phone 8831 with Multiplatform Firmware
– Unified IP Phone 7900 Series

Moreover, Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:

– ATA 191 Analog Telephone Adapter
– ATA 192 Multiplatform Analog Telephone Adapter
– IP Conference Phone 7832
– IP Conference Phone 8832
– IP DECT 110 Repeater with Multiplatform Firmware
– IP DECT 210 Multi-Cell Base Station
– IP DECT 6823 with Multiplatform Firmware
– IP Phone 7800 Series
– IP Phone 8845 and 8865
– Unified IP Phone 3905
– Video Phone 8875
– Webex Room Phone
– Webex Share
– Webex Wireless Phones 840 and 860
– Wireless IP Phone 8821

Containment, Mitigations & Remediations

Cisco released security updates to address the CVE-2023-20078 RCE vulnerability. However, they have not released patches to fix the CVE-2023-20079 DoS flaw.

As it pertains to CVE-2023-20078 for IP Phone Series 6800, 7800 and 8800, users are strongly recommended to upgrade to the following product version:

– 11.3.7SR1

The Cisco Multiplatform Firmware release 12.0.1 is not affected by either vulnerability.

Further details can be found on the Cisco Security Advisories Page.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:
TA0002 – Execution

Technique – Impact:
T1499 – Endpoint Denial of Service

Further Information

Bleeping Computer Article
Cisco Advisory