Cisco Unified IP Phone devices contain a vulnerability that could allow an authenticated, remote attacker to eavesdrop on ongoing conversations around an affected device, potentially resulting in a disclosure of sensitive information.
The vulnerability exists due to insecure handling of the Extension Mobility feature. An authenticated, remote attacker could exploit this vulnerability by configuring an affected device to send out a continuous Real Time Protocol (RTP) stream to an attacker-controlled location. This ongoing transmission could allow the attacker to monitor conversations that are happening in the physical space around the affected device.
Cisco has confirmed this vulnerability in a security response; however, updates are not available.
To exploit this vulnerability, an attacker must possess Extension Mobility credentials that are sufficient to allow authentication to the affected device. Only devices with the Extension Mobility feature enabled, along with the built-in web service, are vulnerable to an attack. Additionally, attackers can only attack Extension Mobility-enabled phones that a user is not logged in to. A successful exploit could allow the attacker to eavesdrop on ongoing conversations taking place around the device.
When an affected device is exploited, the phone exhibits visual signs that indicate that something is amiss. An exploited device will illuminate the speakerphone button, and devices with LCD displays will show an off hook indication. These factors along with the attacker requiring access to the VoIP network or VLAN significantly reduce the likelihood of an attack.