No firmware update available to mitigate the risk

Mar 23, 2015 15:09 GMT  ·  By

The firmware of some IP phones from Cisco suffers from a vulnerability that allows a remote attacker to tap into the conversation without needing to authenticate.

The flaw resides in the default configuration of the device, and touches on insufficient authentication settings.

Vulnerability receives medium severity score

Apart from eavesdropping on the audio stream, which is enough reason of concern itself, exploiting the flaw can also lead to making phone calls from a remote location as well as to carry out other attacks relying on the information gathered through the audio interception activity.

The devices affected are Cisco Small Business SPA 300 and 500 series IP phones running firmware version 7.5.5, and the weakness can be leveraged by delivering them a specially crafted XML request. However, Cisco alerts that later versions of these device may also be vulnerable.

A security advisory from the company says that the attacker may need access to a trusted, internal network in order to start the attack. This would lower the likelihood of a successful incident based on this flaw since internal networks benefit from extra security measures, such as firewalls and intrusion detection/prevention system (IDS/IPS).

This is also one of the reasons the vulnerability (CVE-2015-0670) has been classified with a medium severity risk of 6.4, as resulted from the Common Vulnerability Scoring System (CVSS).

Solutions to mitigating the risk

There is no firmware update that plugs the security hole at the moment, but Cisco offers a solution to protect against attacks. This consists in turning on authentication for XML execution in the settings sheet.

To mitigate the risk completely, administrators can also impose restrictions to allow network access to the device only to trusted users. Furthermore, enforcing strong firewall strategies should contribute to mitigating the risk, too.

“Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems,” continues the list of suggestions in Cisco’s alert.

Keeping the affected devices under close monitoring is yet another recommendation of the manufacturer.

SPA 300 IP phones from Cisco are also vulnerable
SPA 300 IP phones from Cisco are also vulnerable

Photo Gallery (2 Images)

Cisco SPA 500 series IP phones are affected by the flaw
SPA 300 IP phones from Cisco are also vulnerable
Open gallery