Vulnerabilities in Cisco IP telephony products
Cisco has published two security advisories relating to vulnerabilities in its IP Phone and Unified Communications Manager products. Attackers can inject malicious code, conduct denial-of-service attacks or read sensitive information. The vendor is providing updates that fix the flaws.
In several IP Phones that use firmware with SCCP and SIP support, a buffer overflow can occur when handling specially crafted DNS replies, allowing code to be injected. IP Phones that only use the Skinny Client Control Protocol (SCCP) might be able to execute arbitrary code if attackers send manipulated packets to the internal SSH server. Furthermore, the telephones may crash and reboot if they receive large ping packets, or while handling manipulated HTTP queries to the HTTP server integrated in the telephones.
Three flaws in the routines that handle the Session Initiation Protocol (SIP) can be exploited to execute arbitrary code. The IP Phones trip up when decoding manipulated IP messages with MIME-encoded content. Malicious code can also be executed when handling specially crafted packets containing a challenge/response message from a SIP proxy. If the preinstalled telnet server is enabled, registered users can escalate their privileges and execute arbitrary code by using commands of which no further details are provided.
In the Unified Messaging Server, registered users can exploit a flaw related to the parameter
key in order to use SQL commands on administrator and user pages to extract usernames and passwords hashes from the database. Servers before versions 5.1(3a) and 6.1(1a) are affected.
In its security advisories, Cisco provides a list of all of the IP telephony models affected along with the firmware versions that no longer contain the flaws. Registered users can download the firmware versions from the vendor's website. Cisco is also providing registered users with updated versions of the Unified Messaging Server. Administrators are advised to install the updates as soon as possible.
- Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities, Cisco's security advisory
- SQL injection in Cisco Unified Communications Manager, Cisco's security advisory