AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Unified IP Phone models contain multiple overflow and denial of service (DoS) vulnerabilities. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080213-phone.
-
Vulnerable Products
The following Cisco Unified IP Phone devices running Skinny Client Control Protocol (SCCP) firmware:
-
7906G
-
7911G
-
7935
-
7936
-
7940
-
7940G
-
7941G
-
7960
-
7960G
-
7961G
-
7970G
-
7971G
The following Cisco Unified IP Phone devices running Session Initiation Protocol (SIP) firmware:
-
7940
-
7940G
-
7960
-
7960G
The version of firmware running on an IP Phone can be determined via the Settings menu on the phone or via the phone HTTP interface.
Products Confirmed Not Vulnerable
No other Cisco products are known to be vulnerable. This includes the following Cisco Unified IP Phone devices:
-
7905
-
7912
-
7921
-
7931
-
7937
-
7942
-
7945
-
7962
-
7965
-
7975
-
7906G
-
SCCP and SIP-Related Vulnerabilities
-
DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP and SIP firmware contain a buffer overflow vulnerability in the handling of DNS responses. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 and Cisco Bug IDs CSCsj74818 and CSCsk21863.
SCCP-Only Related Vulnerabilities
-
Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP firmware contain a DoS vulnerability. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 and Cisco Bug ID CSCsh71110.
-
HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP firmware contain a DoS vulnerability in their internal HTTP server. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(18) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 and Cisco Bug ID CSCsk20026.
-
SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices running SCCP firmware contain a buffer overflow vulnerability in their internal Secure Shell (SSH) server. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It may also be possible for an unauthenticated attacker to execute arbitrary code with system privileges. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 and Cisco Bug ID CSCsh79629.
SIP-Only Related Vulnerabilities
-
SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in the handling of Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a specially crafted SIP message to a vulnerable phone, it may be possible to trigger a buffer overflow and execute arbitrary code on the phone. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 and Cisco Bug ID CSCsj74786.
-
Telnet Server Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in their internal telnet server. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 and Cisco Bug ID CSCsj78359.
-
SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a heap overflow vulnerability in the handling of a challenge/response message from a SIP proxy. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 and Cisco Bug ID CSCsj74765.
-
DNS Response Parsing Overflow
-
Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities.
It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied.
Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge":
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology.
The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems.
The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2008-February-13
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.