Guest

Products & Services

Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

Advisory ID: cisco-sa-20130109-uipphone

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Revision 1.4

Last Updated  2014 November 3 21:48  UTC (GMT)

For Public Release 2013 January 9 16:00  UTC (GMT)


Summary

Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.

This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.

Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device.

Mitigations are available to help reduce the attack surface of affected devices. See the "Details" section of this security advisory and the accompanying Cisco Applied Mitigation Bulletin (AMB) for additional information.

Update (November 3rd, 2014):
Updated software that resolves the vulnerability described in this document has been released.  This release is generally available and can be downloaded from the product-specific support areas on Cisco.com. The release version is 9.4(2).

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Affected Products

The vulnerability affects the Cisco Unified IP Phones 7900 Series, also known as TNP phones.

Vulnerable Products

The following Cisco Unified IP Phones 7900 Series devices are affected by the vulnerability documented in this advisory:
  • Cisco Unified IP Phone 7906
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7975G

Products Confirmed Not Vulnerable

The following Cisco Unified IP Phones 7900 Series devices are not affected by the vulnerability documented in this advisory:
  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7912G
  • Cisco Unified IP Phone 7940
  • Cisco Unified IP Phone 7960
  • Cisco Unified IP Phone 7985G
  • Cisco Unified Wireless IP Phone 7920 Versions 1/2/3
  • Cisco Unified Wireless IP Phone 7921G
  • Cisco Unified Wireless IP Phone 7925G
  • Cisco Unified Wireless IP Phone 7925G-EX
  • Cisco Unified Wireless IP Phone 7926G
  • Cisco Unified IP Conference Station 7935
  • Cisco Unified IP Conference Station 7936
  • Cisco Unified IP Conference Station 7937G

No other Cisco products are currently known to be affected by this vulnerability.

Details

Several models in the CiscoUnified IP Phones 7900 Series contain an input validation vulnerability that could allow a local, authenticated attacker to manipulate arbitrary areas of memory within the device. This is due to a failure to properly validate user-supplied parameters that are passed to kernel system calls. Multiple access vectors have been identified whereby an attacker could gain local access to the device. An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device, or remotely by first authenticating to the device via SSH. After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default.

Public Demonstrations


This issue has been publicly demonstrated at several venues. In each demonstration, the devices that are used appear to be unprovisioned phones running an affected version of the Cisco Unified IP Phone software. The demonstrations use a physical attack vector to compromise the phone via a local serial port to place a modified binary on the device, which could then be used to manipulate arbitrary regions of kernel memory by exploiting this issue.

In the demonstrations, the handset microphone is enabled while the handset is in the on-hook position (handset in the cradle). The high-gain area microphones on the TNP devices are electrically connected to the speakerphone active indicator and cannot be bypassed through software manipulation. On the 79x1 Series devices, the handset microphone is controlled by software and the General Purpose Input/Output (GPIO) channels on the audio codec, which allows the microphone to be activated and the display indicators on the handset to be bypassed.

The 79x2 and 79x5 Series devices are designed to provide additional protections by electrically connecting the handset microphone to the off-hook switch, which prevents the microphone from being activated without any indication.

Postulated Remote Attacks

In addition to the physical attack vector, multiple network-based attacks have been postulated that leverage certain behaviors of the Cisco Unified IP Phone. Thus far, the attacks have been predicated on exploiting the use of TFTP. TFTP is an unsecured transport protocol that operates over UDP and is susceptible to spoofing attacks. Cisco recognizes that TFTP is unsecured and has enabled administrators to cryptographically secure phone configuration files transferred over TFTP in Cisco Unified Call Manager Version 5.0 and later. Additionally, in version 8.0(1) and all subsequent releases, Cisco instituted a secure-by-default policy. These releases sign device configuration files by default and disable both the SSH and web daemons on the phones. Signing and encrypting device configuration files prevents an attacker from tampering or replacing these files by spoofing a TFTP server or server response. This is accomplished by verifying the cryptographic signature of these file before they are used by a device.

In addition to these default protections, Cisco provides a comprehensive design guide for all voice network deployments. This includes suggested security feature configurations on intermediate and edge devices to prevent spoofed traffic from being passed on the voice network as well as the isolation and segregation of voice traffic from general network traffic. Security information for Cisco Unified Communications Manager Version 9.0 is available at the following link: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/security.html

Cisco recognizes that while a number of network, device, and configuration-based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices. To this end, Cisco has conducted a phased remediation approach, which started with an intermediate Engineering Special software release for affected devices, that mitigates known attack vectors for the vulnerability documented in this advisory. This software release was available upon request from the Cisco Technical Assistance Center (TAC). Additional enhancements will follow in a Service Release that was posted on Cisco.com on February 14, 2013.  

The final remediation of this vulnerability has been made available as part of the 9.4(2) general availability software release for affected devices.  The software was posted to Cisco.com in September 2014.

This vulnerability is documented in Cisco bug ID CSCuc83860 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-5445.

Software Hardening

Changes have been made to the affected software to harden it against unauthorized access. The following changes have been made:
  • Disable the local console port on affected devices.
    • This change removes the ability to gain access to the command line of an affected device by physically accessing the AUX/Console port on the phone.
  • Remove the default user shell.
    • The interactive Unix-like shell has been removed from the affected devices. If SSH has been enabled, and a user successfully authenticates, the only shells available are the debug and log options.
These changes have been documented in Cisco Bug ID CSCue04937 (registered customers only).

Additional hardening measures have been made in the 9.3(1)SR2 service release.  The following change has been made:
  • SSH authorized_keys file is no longer sent to phones
    • This change removes the ability to authenticate to a phone via SSH keys only.  When SSH is enabled, administrators will need to authenticate via Username and Password as defined in a device's profile.
These changes have been documented in Cisco Bug ID CSCue04970 (registered customers only).

Vulnerability Scoring Details

Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss



CSCuc83860

Calculate the environmental score of CSCuc83860

CVSS Base Score - 6.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Local

Low

Single

Complete

Complete

Complete

CVSS Temporal Score - 5.8

Exploitability

Remediation Level

Report Confidence

Functional

Temporary-Fix

Confirmed


Impact

Successful exploitation of the vulnerability may allow a local attacker to manipulate arbitrary regions of system memory, which includes kernel space. If successful, the attacker could modify the operation of existing code or execute attacker-controlled code with elevated privileges.

Software Versions and Fixes

Cisco has released software version 9.4(2) that remediates the vulnerability described in this document. Release notes for this update can be found here: Cisco Unified IP Phone 7900 Series Release 9.4(2)

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Workarounds

Administrators are advised to read and implement the mitigations found in the following Applied Mitigation Bulletin. If Cisco Unified IP Phones are not deployed on a Cisco infrastructure, administrators should at minimum consider deploying encrypted configurations and ensuring that SSH has been disabled. Configuration files from Cisco Unified Communications Manager Version 8.0(1) and later are signed by default for all affected Cisco Unified IP Phones 7900 Series devices.

Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability" at the following link:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27763

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers using Third Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.

This vulnerability was reported to Cisco by Ang Cui, Columbia University.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.4 2014-November-03 Updated Summary and Software Versions and Fixes Section to indicate the release of version 9.4(2), which remediates the core vulnerability.
Revision 1.3 2013-March-27 Corrected Revision History table for Revision 1.2. Incorrect year had been given.
Revision 1.2 2013-February-14 Added information regarding the release of general service release 9.3(1)SR2. Added additional hardening information to Details section.
Revision 1.1 2013-January-17 Added information about Engineering Special release 9.3(1)-ES11.
Revision 1.0 2013-January-09 Initial public release

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.