Cisco IP phones vulnerable to eavesdropping; no patch available yet
A vulnerability has been found in two different sets of Cisco Systems Inc. IP phones, and the vendor says the flaw could allow attackers to remotely eavesdrop on phone calls.
Cisco has confirmed a vulnerability (CVE-2015-0670) in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones. The vulnerability is known to affect version 7.5.5 of the phones, but could also impact later versions.
According to the advisory, the vulnerability is due to improper authentication settings in the default configuration, and could potentially be exploited by sending a specially crafted XML request to the affected device.
If such an exploit were successful, the attacker could listen to the audio of a call, initiate phone calls remotely, or conduct further attacks.
Cisco downplayed the vulnerability, saying it is unlikely to be exploited, and noted that the likelihood of a successful exploit would be mitigated if an attacker also needed to penetrate a firewall of a trusted internal network before sending the crafted XML request.
Cisco has not yet released a software update for the affected devices and has not given a timetable for a release. It did, however suggest interim mitigation techniques, such as enabling XML execution authentication in the settings of affected devices, and considering IP-based access control lists (ACLs), which would only allow trusted systems to connect to affected devices.
23 Mar 2015