Attackers could circumvent security restrictions and compromise certain Cisco IP phones by exploiting a series of flaws, the networking giant warned Wednesday. Some of the problems have been fixed.
The first problem is with the Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices. The phones contain a hard-coded default user account with a default password that's remotely accessible via a Secure Shell (SSH) server enabled on the phone.
"This default user account may be leveraged to gain administrative access to a vulnerable phone via a privilege escalation vulnerability," Cisco warned. "The default user account may also execute commands causing a phone to become unstable and result in a denial of service."
The company has made free software available to address the flaws.
Researchers also found a series of flaws in the Cisco Unified IP Conference Station and IP phone devices.
According to Cisco:
- It may be possible to access the Unified IP Conference Station administrative HTTP interface without authentication. "This vulnerability can be exploited remotely with no authentication and no user interaction," Cisco said. "If exploited, the attacker may alter the device configuration or create a denial of service." In a default configuration the attack vector is through TCP port 80, Cisco added.
- Vulnerable Cisco Unified IP Phones contain a default username and password that may be accessed via SSH. "This vulnerability can be exploited remotely with no user interaction," Cisco said. "If exploited, the attacker may be able to modify the device configuration or perform additional attacks." The attack vector is through TCP port 22, the vendor added.
- Affected Cisco Unified IP Phones contain privilege escalation vulnerabilities that allow local, authenticated users to obtain administrative access to the phone. "This vulnerability may be exploited remotely with authentication and no user interaction," Cisco said. "If exploited, the attacker may be able to modify the device configuration or cause a denial of service." The attack vector is through TCP port 22, the vendor said.
The Cisco advisory offers a breakdown of the flaws it has fixed as well as those for which a patch is in development.
In addition to the IP phone issues, the company said it has fixed a flaw in its Cisco Secure Services Client (CSSC). CSSC is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. A lightweight version of the CSSC client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) Framework solution.
Cisco said these products are affected by multiple vulnerabilities, including privilege escalations and information disclosure.