There comes word today of some rather nasty vulnerabilities that effect Cisco IP phones. Some of the affected Cisco (CSCO) devices are:
The following Cisco Unified IP Phone devices running Skinny Client Control Protocol (SCCP) firmware:
7906G, 7911G, 7935, 7936, 7940, 7940G, 7941G, 7960, 7960G, 7961G, 7970G, 7971G
The following Cisco Unified IP Phone devices running Session Initiation Protocol (SIP) firmware:
7940, 7940G, 7960, 7960G
The version of firmware running on an IP Phone can be determined via the Settings menu on the phone or via the phone HTTP interface.
There are numerous vulnerabilities involved here. I have listed the lot after the jump.
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP and SIP firmware contain a buffer overflow vulnerability in the handling of DNS responses. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863.SCCP-Only Related Vulnerabilities
* Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP firmware contain a DoS vulnerability. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110.* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP firmware contain a DoS vulnerability in their internal HTTP server. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(18) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026.* SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices running SCCP firmware contain a buffer overflow vulnerability in their internal Secure Shell (SSH) server. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It may also be possible for an unauthenticated attacker to execute arbitrary code with system privileges. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629.SIP-Only Related Vulnerabilities
* SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in the handling of Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a specially crafted SIP message to a vulnerable phone, it may be possible to trigger a buffer overflow and execute arbitrary code on the phone. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786.* Telnet Server Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in their internal telnet server. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359.* SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a heap overflow vulnerability in the handling of a challenge/response message from a SIP proxy. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765.
The full advisory listing below.
[tags]Cisco IP Phone, IP Phone Vulnerabilities, Cisco IP Phone Overflow, Cisco IP Phone DoS[/tags]
