CIsco IP Phone Vulnerabilities

Crying Wolf?

Before i continue, it’s pertinent to gives a heads up: nothing in this article relates to ChatGPT. Sorry.

Lots of fuss was abound this morning (on the back of articles from yesterday with attention-grabbing headlines) regarding these 2 vulnerabilties disclosed, reported as CVE-2023-20078 and CVE-2023-20079. The first of these is rated 9.8 under CVSS 3.1!! (Oh no).

A few points:

  • Affected products: Cisco IP Phone 6800, 7800, 7900, and 8800 Series.
  • The first vulnerability (CVE-2023-20078) is given as an RCE with instant-root, with the web-based management interface of the phone. The other is noted as a DoS condition.
  • Whereas the aforementioned sounds bad, do you have your phones facing the Internet with a public IPv4 address? Probably not. So the attacker would need an internal presence to exploit this condition. If they have an internal presence, are they really going to be going after your phones? They might one supposes. Only you can answer this question.
  • The CVSS rating of 9.8. About that. Lots of stuff is rated 10. Lots of stuff that shouldn’t be. It’s a long story but CVSS ratings have been slammed multiple times by multiple esteemed analysts over the past 5 years. This case here is interesting because we’re talking about phones… the 2nd vulnerability covered is given a 7.8 rating, primarily because its ONLY a DoS . But with YOUR organisation, maybe DoS on your phones is worse than a remote take-over of the phones. CVSS ratings are not based on YOUR network. The folks who put together these ratings know nothing about YOUR organisation. You have to figure out your own risks based on threat modelling (I prefer the OWASP metholodogy).
  • The potential for an automated attack is also there.
  • At the time of writing there was no publicity about attacks in the wild or public disclosed exploit code.
  • Cisco has released software updates that address these vulnerabilities.
  • The RCE as root might get some attention. Usually this is bad development or sys admin practice – to have processes running with super user privileges unnecessarily. However in this case the phone management software is management software and as such needs to manage – it needs root privileges. Let’s not bash Cisco over this one.
  • Finally – a blast from the past. What does Cisco have against web interfaces? A bug I remember that was useful in pen tests, primarily for learning about the target network, involved being able to pass commands under Level 15 (the highest) privileges with no authentication. The advice from Cisco was really something like ‘don’t use HTTP – disable it’.