August 8, 2024 at 08:35PM
A BAE boffin discovered 3 critical flaws in Cisco’s Small Business SPA300 and SPA500 IP phones, none of which will be fixed. The flaws allow unauthenticated remote attackers to gain root privileges. Cisco won’t release updates as the products have entered the end-of-life process. No known exploits exist at this time.
The meeting notes highlight critical vulnerabilities found in Cisco’s Small Business SPA300 and SPA500 IP phones by a boffin from British defense contractor BAE. Three flaws, rated CVSS 9.8, were identified in the web-based management interface, allowing unauthenticated remote attackers to gain root privileges. These vulnerabilities, labeled CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, could lead to arbitrary command execution due to a lack of HTTP packet error checking.
In addition, two less serious flaws, CVE-2024-20451 and CVE-2024-20453, with a CVSS score of 7.8, could facilitate denial of service attacks. Cisco has stated that it will not release software updates to address these vulnerabilities, as the affected phone series have entered the end-of-life process.
Owners of SPA300 handsets will not receive further support, and SPA500 support contracts must be renewed by August 27, 2024, with obsolescence scheduled for May 31, 2025. Despite Cisco’s assertion that it is not aware of any exploits in the wild, organizations are advised to consider replacing their affected devices to mitigate potential security risks.
It is notable that these vulnerabilities were uncovered by an individual identified as “Aidan of BAE Systems Digital Intelligence,” with no surname provided by Cisco. BAE Systems has yet to comment on the matter.