The Cisco IP Phones are vulnerable to several network based Denial of
Service (DoS) attacks including the well-known attacks for "jolt", "jolt2",
"raped", "hping2", "bloop", "bubonic", "mutant", "trash", and "trash2". All of
these defects were resolved by improving the ability of the IP Phone to resist
high rates of traffic directed at the IP Phone.
The Cisco IP phones include a built-in web server on port 80. The
server provides several pages of debug and status information about the phone.
It is possible to modify an HTTP request to exploit an input validation
vulnerability which results in the reinitialization of the IP phone.
The Cisco IP Phones store their configuration information locally and
most of it is accessible through the "Settings" button on the phone. By
default, these settings are locked (as indicated by a padlock icon in the mode
title bar when viewing them) to prevent them from being changed accidentally.
These settings may be modified via a trusted path key combination: '**#'. This
is documented in the product manual and is not admin-configurable. Once
unlocked, several fields can be reconfigured. Modification of the phone's
configuration is very likely to go unnoticed, since a user never has to
interact with the configuration menu where these changes were made. This will
be resolved at a later date likely by a configuration option to control the
ability to make local configuration changes at the keypad of the phone.