Cisco has released a security advisory to address two critical vulnerabilities in its IP Phone 6800, 7800, 7900, and 8800 Series Web UI.
CVE-2023-20078 may allow an unauthenticated, remote attacker to inject arbitrary commands executed with root privileges.
CVE-2023-20079 may allow an unauthenticated, remote attacker to reload the affected device, resulting in a denial of service (DoS) condition. Cisco has decided not to release a patch for the vulnerability as Unified IP Phone 7900 Series and IP Conference Phone 8831 have reached end-of-life and are not in regular support by Cisco.
Customers may refer to the end-of-life notices for these products:
- Cisco Unified IP Phones 7945, 7965, 7975 and 7916
- Cisco Select IP Conference Phone 8831 for on-premises and accessories
- Cisco IP Conference Phone 8831 for Multiplatform Phones and Accessories
Cisco Unified IP Phones come with traditional telephony functionality along with various other features. The product provides classic features like call forwarding and transferring, redialing, speed dialing, conference calling, and voice messaging system access. The Cisco Unified IP Phone functions like a digital business phone that allows you to place and receive telephone calls. In addition, the Cisco Unified IP Phone also enables you to administer and monitor the phone as a network device.
Description
CVE-2023-20078: Cisco IP Phone 6800, 7800, and 8800 Series Command Injection Vulnerability
The vulnerability has a CVSS score of 9.8 and can be exploited in low-complexity attacks with no privileges required. The vulnerability exists in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones.
This vulnerability arises due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. An attacker can execute arbitrary commands on an affected device.
CVE-2023-20079: Cisco IP Phone 6800, 7800, 7900, and 8800 Series Denial of Service Vulnerability
The vulnerability has a CVSS score of 7.5 and can be exploited in low-complexity attacks with no privileges required. The vulnerability exists in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones and Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series Phones.
This vulnerability originates due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. An attacker may cause a DoS condition on successful exploitation.
Affected products
CVE-2023-20078:
- IP Phone 6800 Series with Multiplatform Firmware
- IP Phone 7800 Series with Multiplatform Firmware
- IP Phone 8800 Series with Multiplatform Firmware
CVE-2023-20079:
- IP Phone 6800 Series with Multiplatform Firmware
- IP Phone 7800 Series with Multiplatform Firmware
- IP Phone 8800 Series with Multiplatform Firmware
- Unified IP Conference Phone 8831
- Unified IP Conference Phone 8831 with Multiplatform Firmware
- Unified IP Phone 7900 Series
Mitigation
Cisco has released an update to address CVE-2023-20078.
The advisory states, “Cisco has not released and will not release software updates to address CVE-2023-20079.”
Customers can refer to the official Cisco Security Advisory (cisco-sa-ip-phone-cmd-inj-KMFynVcP) for more information about the vulnerabilities.
Qualys Detection
Qualys customers can scan their devices with QIDs 730742 and 730748 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP