Get in Touch
Cisco patches critical RCE vulnerabilities in IP phones
Target Industry
Indiscriminate, opportunistic targeting.
Overview
– CVE-2023-20078 – Severity Level – Critical (CVSSv3 base score of 9.8): Compromise will result in the loss of confidentiality and integrity of data.
– CVE-2023-20079 – Severity Level – High (CVSSv3 base score of 7.5): Compromise will result in the loss of confidentiality and integrity of data.
Cisco has disclosed two security vulnerabilities that were detected in the Web UI for various IP phone models. Both security vulnerabilities have arisen as a result of insufficient validation of user-supplied input and can both be exploited by sending maliciously crafted requests to the targeted system’s web-based management interface.
Impact
– Successful exploitation of CVE-2023-20078 will allow a threat actor to inject arbitrary commands that will be executed with root privileges.
– Successful exploitation of CVE-2023-20079 will allow an unauthenticated, remote threat actor to cause an affected device to reload, resulting in a denial-of-service (DoS) condition.
Vulnerability Detection
Cisco has released the required security patches for the CVE-2023-20078 RCE vulnerability. However, they have not released patches to fix the CVE-2023-20079 DoS flaw. As such, previous versions are vulnerable to potential exploits.
Affected Products
CVE-2023-20078 affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware:
– IP Phone 6800 Series with Multiplatform Firmware
– IP Phone 7800 Series with Multiplatform Firmware
– IP Phone 8800 Series with Multiplatform Firmware
CVE-2023-20079 affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware or Cisco Unified Software:
– IP Phone 6800 Series with Multiplatform Firmware
– IP Phone 7800 Series with Multiplatform Firmware
– IP Phone 8800 Series with Multiplatform Firmware
– Unified IP Conference Phone 8831
– Unified IP Conference Phone 8831 with Multiplatform Firmware
– Unified IP Phone 7900 Series
Moreover, Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
– ATA 191 Analog Telephone Adapter
– ATA 192 Multiplatform Analog Telephone Adapter
– IP Conference Phone 7832
– IP Conference Phone 8832
– IP DECT 110 Repeater with Multiplatform Firmware
– IP DECT 210 Multi-Cell Base Station
– IP DECT 6823 with Multiplatform Firmware
– IP Phone 7800 Series
– IP Phone 8845 and 8865
– Unified IP Phone 3905
– Video Phone 8875
– Webex Room Phone
– Webex Share
– Webex Wireless Phones 840 and 860
– Wireless IP Phone 8821
Containment, Mitigations & Remediations
Cisco released security updates to address the CVE-2023-20078 RCE vulnerability. However, they have not released patches to fix the CVE-2023-20079 DoS flaw.
As it pertains to CVE-2023-20078 for IP Phone Series 6800, 7800 and 8800, users are strongly recommended to upgrade to the following product version:
– 11.3.7SR1
The Cisco Multiplatform Firmware release 12.0.1 is not affected by either vulnerability.
Further details can be found on the Cisco Security Advisories Page.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
Threat Landscape
Cisco occupies a significant proportion of the enterprise network infrastructure market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive data contained therein.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Tactic:
TA0002 – Execution
Technique – Impact:
T1499 – Endpoint Denial of Service
Further Information
Bleeping Computer Article
Cisco Advisory