Cisco warns of critical RCE zero-days in end of life IP phones

Cisco warns of critical RCE zero-days in end of life IP phones

August 8, 2024 at 05:34PM

Cisco has issued a warning about critical remote code execution vulnerabilities in the web-based management interface of Small Business SPA 300 and SPA 500 series IP phones. These flaws, including buffer overflow vulnerabilities, can allow unauthenticated attackers to execute arbitrary commands. Users are urged to transition to newer, supported models as fixes are not available.

Key takeaways from the meeting notes:

– Cisco has warned of multiple critical remote code execution zero-day vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life.
– There are five disclosed vulnerabilities, three rated critical (CVSS v3.1 score: 9.8) and two categorized as high-severity (CVSS v3.1 score: 7.5).
– The critical vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying OS with root privileges via specially crafted HTTP requests.
– The two high-severity flaws can cause a denial of service on the affected device due to inadequate checks on HTTP packets.
– The end of support for SPA 300 was in February 2022, and for SPA 500, it was in June 2020. Cisco no longer sells these devices, and they will not receive security updates.
– Users are advised to transition to newer, supported models like the Cisco IP Phone 8841 or a model from the Cisco 6800 series. Cisco offers a Technology Migration Program (TMP) to trade-in eligible products and receive credit toward new equipment.
– Users unsure about their options are advised to contact Cisco’s Technical Assistance Center (TAC).

Full Article