A vulnerability in Cisco IP phones could allow unauthenticated attackers to remotely listen in on the phones’ audio streams. According to an advisory Cisco published on its website, the vulnerability (CVE-2015-0670) results from improper authentication in the default configuration of certain Cisco IP phones.
“An attacker could exploit this vulnerability by sending a crafted XML request to the affected device,” the advisory explains. “An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”
Cisco has revealed that version 7.5.5 of the software that powers its Small Business SPA 300 and 500 series IP phones is vulnerable, though other versions might also be affected. Attackers could potentially locate Cisco IP phones that run on these vulnerable software versions using the Shodan search engine. The vulnerability was first discovered by Chris Watts of Tech Analysis, who was charged by Cisco with finding security flaws in the company’s Shared Port Adapter IP hardware and software. Watts discovered three vulnerabilities in total. One of the other flaws (CVE-2014-3313) allows attackers to elevate privileges using cross-site scripting (XSS) attacks. The third and final vulnerability (CVE-2014-3312) enables unauthenticated remote users to leverage elevated privileges in order to execute arbitrary code or modify memory. After initially rejecting the idea of a software fix, Cisco has announced that it will indeed issue a patch for the vulnerabilities. “I can confirm that Cisco is working on a patch and will provide it for our customers,” Cisco senior manager for business critical communications Nigel Glennie told iTnews. In the meantime, it is recommended that administrators enable XML Execution authentication in the configuration settings of all affected devices and make sure that only trusted users have access to phones that are installed on corporate networks. Cisco suggested that admins also use solid firewall strategies and IP-based access control lists (ACLs) as additional safety measures until a patch is issued
