[NEWS] Multiple Vulnerabilities in Cisco IP Telephones

From: support@securiteam.com
Date: 05/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 22 May 2002 22:05:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in Cisco IP Telephones
------------------------------------------------------------------------

SUMMARY

Several vulnerabilities have been identified and repaired in Cisco IP
Phones. One vulnerability allows unauthorized modification of the phone's
configuration, while the remainders cause the phone to restart when
certain types of network traffic are received.

Workarounds are available for some of the vulnerabilities. Cisco is
offering free fixed software to address these vulnerabilities. Full
details are available below and in the on-line copy of this document at
<http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml> http://www.cisco.com/warp/public/707/multiple-ip-phone-vulnerabilities-pub.shtml.

DETAILS

Affected Products:
Cisco IP Phone models 7910, 7940, and 7960 are the only Cisco products
affected by these vulnerabilities.

Details:
CSCdw16714
CSCdw16720
CSCdw95128
CSCdv29136
The Cisco IP Phones are vulnerable to several network based Denial of
Service (DoS) attacks including the well-known attacks for "jolt",
"jolt2", "raped", "hping2", "bloop", "bubonic", "mutant", "trash", and
"trash2". All of these defects were resolved by improving the ability of
the IP Phone to resist high rates of traffic directed at the IP Phone.

CSCdw93296
CSCdx21102
The Cisco IP phones include a built-in web server on port 80. The server
provides several pages of debug and status information about the phone. It
is possible to modify an HTTP request to exploit an input validation
vulnerability that results in the re-initialization of the IP phone.

CSCdx21108
The Cisco IP Phones store their configuration information locally and most
of it is accessible through the "Settings" button on the phone. By
default, these settings are locked (as indicated by a padlock icon in the
mode title bar when viewing them) to prevent them from being changed
accidentally. These settings may be modified via a trusted path key
combination: '**#'. This is documented in the product manual and is not
admin-configurable. Once unlocked, several fields can be reconfigured.
Modification of the phone's configuration is very likely to go unnoticed,
since a user never has to interact with the configuration menu where these
changes were made. This will be resolved later by a configuration option
to control the ability to make local configuration changes at the keypad
of the phone.

Impact:
Cisco IP Phones can be forced to restart by an attacker using any of a
variety of widely available, well-known DOS programs if the attacker can
successfully transmit packets to the IP Telephone. The phone may also
restart in the event it receives a crafted HTTP request with invalid
arguments directed at the phone. Any call in progress on the affected IP
Phone will be disconnected, and the IP Phone will not be useable until it
has finished restarting and resumed normal operation. This attack can be
repeated indefinitely.

Cisco IP phones running a SIP or MGCP image are subject to the same widely
available denial-of-service programs but are not susceptible to a
web-based attack as those images do not include a web interface.

Normal operation of Cisco IP Phones can be subverted if an attacker
obtains local physical access to the IP Phone and reconfigures it,
possibly forcing it to download software or configuration information of
his or her own choosing. A successful attacker could gain full control
over the operation of the IP Phone and any call setup requests and
responses made between the IP Phone and Cisco CallManagers or other VoIP
gateways.

Software Versions and Fixes:
Cisco IP Phone Firmware (fixes carry forward into all later versions)

CallManager Version Affected - First Fixed Firmware Release - First Fixed
CallManager Release.
3.0 - P003J310 - N/A
3.1 - P00303010401- 3.1(4)
3.2 - P00303020203 (available 2002-05-29) - TBD

Cisco IP Phone SIP or MGCP Firmware (fixes carry forward into all later
versions)
Version Affected - First Fixed Firmware Release.
POS3-03-1-00 and earlier - TBD
POM3-03-1-00 and earlier - TBD

Obtaining Fixed Software
Cisco is offering free software upgrades to address this vulnerability for
all affected customers. Customers may only install and expect support for
the feature sets they have purchased.

Customers with service contracts should contact their regular update
channels to obtain any software release containing the feature sets they
have purchased. For most customers with service contracts, this means that
upgrades should be obtained through the Software Center on Cisco's
Worldwide Web site at <http://www.cisco.com/> http://www.cisco.com/.

Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).

Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should obtain fixed software by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later
version of the same release or as indicated by the applicable row in the
Software Versions and Fixes table (noted above).

Cisco TAC contacts are as follows:
 * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers,
instructions, and e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
Denial-of-service attacks on the Cisco IP Phone can be mitigated by
limiting or blocking IP traffic from untrusted sources. Exploitation of
the web interface vulnerability can be provided by blocking access to port
80 via other devices on the network. The basic configuration of the Cisco
IP Telephone can be protected by permitting physical access only by
authorized users and network administrators.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages