Advisory ID: cisco-sa-20130109-uipphone
Last Updated 2013 March 27 15:30 UTC (GMT)
For Public Release 2013 January 9 16:00 UTC (GMT)
Vulnerability Scoring Details
Software Versions and Fixes
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Cisco Security Procedures
Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.
This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.
Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device.
Mitigations are available to help reduce the attack surface of affected devices. See the "Details" section of this security advisory and the accompanying Cisco Applied Mitigation Bulletin (AMB) for additional information.
A service release has been made available for affected Cisco Customers that includes hardening measures to mitigate the known attack vectors for the vulnerability described in this advisory. This release is generally available and can be downloaded from the product-specific support areas on Cisco.com. The release name is 9.3(1)SR2.
This advisory is available at the following link:
- Cisco Unified IP Phone 7906
- Cisco Unified IP Phone 7911G
- Cisco Unified IP Phone 7931G
- Cisco Unified IP Phone 7941G
- Cisco Unified IP Phone 7941G-GE
- Cisco Unified IP Phone 7942G
- Cisco Unified IP Phone 7945G
- Cisco Unified IP Phone 7961G
- Cisco Unified IP Phone 7961G-GE
- Cisco Unified IP Phone 7962G
- Cisco Unified IP Phone 7965G
- Cisco Unified IP Phone 7970G
- Cisco Unified IP Phone 7971G-GE
- Cisco Unified IP Phone 7975G
- Cisco Unified IP Phone 7902G
- Cisco Unified IP Phone 7905G
- Cisco Unified IP Phone 7910G
- Cisco Unified IP Phone 7912G
- Cisco Unified IP Phone 7940
- Cisco Unified IP Phone 7960
- Cisco Unified IP Phone 7985G
- Cisco Unified Wireless IP Phone 7920 Versions 1/2/3
- Cisco Unified Wireless IP Phone 7921G
- Cisco Unified Wireless IP Phone 7925G
- Cisco Unified Wireless IP Phone 7925G-EX
- Cisco Unified Wireless IP Phone 7926G
- Cisco Unified IP Conference Station 7935
- Cisco Unified IP Conference Station 7936
- Cisco Unified IP Conference Station 7937G
No other Cisco products are currently known to be affected by this vulnerability.
This issue has been publicly demonstrated at several venues. In each demonstration, the devices that are used appear to be unprovisioned phones running an affected version of the Cisco Unified IP Phone software. The demonstrations use a physical attack vector to compromise the phone via a local serial port to place a modified binary on the device, which could then be used to manipulate arbitrary regions of kernel memory by exploiting this issue.
In the demonstrations, the handset microphone is enabled while the handset is in the on-hook position (handset in the cradle). The high-gain area microphones on the TNP devices are electrically connected to the speakerphone active indicator and cannot be bypassed through software manipulation. On the 79x1 Series devices, the handset microphone is controlled by software and the General Purpose Input/Output (GPIO) channels on the audio codec, which allows the microphone to be activated and the display indicators on the handset to be bypassed.
The 79x2 and 79x5 Series devices are designed to provide additional protections by electrically connecting the handset microphone to the off-hook switch, which prevents the microphone from being activated without any indication.
Postulated Remote Attacks
In addition to the physical attack vector, multiple network-based attacks have been postulated that leverage certain behaviors of the Cisco Unified IP Phone. Thus far, the attacks have been predicated on exploiting the use of TFTP. TFTP is an unsecured transport protocol that operates over UDP and is susceptible to spoofing attacks. Cisco recognizes that TFTP is unsecured and has enabled administrators to cryptographically secure phone configuration files transferred over TFTP in Cisco Unified Call Manager Version 5.0 and later. Additionally, in version 8.0(1) and all subsequent releases, Cisco instituted a secure-by-default policy. These releases sign device configuration files by default and disable both the SSH and web daemons on the phones. Signing and encrypting device configuration files prevents an attacker from tampering or replacing these files by spoofing a TFTP server or server response. This is accomplished by verifying the cryptographic signature of these file before they are used by a device.
In addition to these default protections, Cisco provides a comprehensive design guide for all voice network deployments. This includes suggested security feature configurations on intermediate and edge devices to prevent spoofed traffic from being passed on the voice network as well as the isolation and segregation of voice traffic from general network traffic. Security information for Cisco Unified Communications Manager Version 9.0 is available at the following link: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/security.html
Cisco recognizes that while a number of network, device, and configuration-based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices. To this end, Cisco has conducted a phased remediation approach, which started with an intermediate Engineering Special software release for affected devices, that mitigates known attack vectors for the vulnerability documented in this advisory. This software release was available upon request from the Cisco Technical Assistance Center (TAC). Additional enhancements will follow in a Service Release that was posted on Cisco.com on Feburary 14th, 2013.
These two releases should allow administrators to sufficiently secure their voice deployments. However, Cisco is committed to investigating the feasibility of providing a long-term remediation of the core vulnerability. Over the next several months, Cisco will be performing an evaluation of portions of the 7900 series firmware to investigate courses of action that can be taken to fully mitigate the underlying root cause and to improve both the network and physical security posture of the affected devices. Cisco's goal is to provide the most secure IP telephony devices available while continuing to protect customers' investment in their existing infrastructures.
This vulnerability is documented in Cisco bug ID CSCuc83860 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-5445.
Changes have been made to the affected software to harden it against unauthorized access. The following changes have been made:
- Disable the local console port on affected devices.
- This change removes the ability to gain access to the command line of an affected device by physically accessing the AUX/Console port on the phone.
- Remove the default user shell.
- The interactive Unix-like shell has been removed from the affected devices. If SSH has been enabled, and a user successfully authenticates, the only shells available are the debug and log options.
Additional hardening measures have been made in the 9.3(1)SR2 service release. The following change has been made:
- SSH authorized_keys file is no longer sent to phones
- This change removes the ability to authenticate to a phone via SSH keys only. When SSH is enabled, administrators will need to authenticate via Username and Password as defined in a device's profile.
Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.
Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the following link:
Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:
Calculate the environmental score of CSCuc83860
CVSS Base Score - 6.8
CVSS Temporal Score - 5.8
Successful exploitation of the vulnerability may allow a local attacker to manipulate arbitrary regions of system memory, which includes kernel space. If successful, the attacker could modify the operation of existing code or execute attacker-controlled code with elevated privileges.
Cisco has released a general service release labeled 9.3(1)SR2 for customers, which includes hardening measures that mitigate the known attack vectors for the vulnerability described in this advisory. This is an intermediate resolution release that hardens the device against unauthorized access; it does not resolve the core vulnerability.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Administrators are advised to read and implement the mitigations found in the following Applied Mitigation Bulletin. If Cisco Unified IP Phones are not deployed on a Cisco infrastructure, administrators should at minimum consider deploying encrypted configurations and ensuring that SSH has been disabled. Configuration files from Cisco Unified Communications Manager Version 8.0(1) and later are signed by default for all affected Cisco Unified IP Phones 7900 Series devices.
Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability" at the following link:
The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: email@example.com
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.
This vulnerability was reported to Cisco by Ang Cui, Columbia University.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco Security Intelligence Operations at the following link:
Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:
Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.
|Revision 1.3||2013-March-27||Corrected Revision History table for Revision 1.2. Incorrect year had been given.|
|Revision 1.2||2013-February-14||Added information regarding the release of general service release 9.3(1)SR2. Added additional hardening information to Details section.|
|Revision 1.1||2013-January-17||Added information about Engineering Special release 9.3(1)-ES11.|
|Revision 1.0||2013-January-09||Initial public release|
Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.