‘Cisco Unified IP Phones 7900 Series Multiple Vulnerabilities’

Summary

Cisco Unified IP Phones 7900 Series devices are affected by three vulnerabilities that could allow an attacker to elevate privileges, change phone configurations, disclose sensitive information, or load unsigned software.’

Credit:

‘The information has been provided by Matt Duggan.
The original article can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80111.shtml


Details

Vulnerable Systems:
 * Cisco Unified IP Phones 7900 Series devices

Cisco Unified IP Phones 7900 Series devices, also known as TNP phones, are affected by three vulnerabilities that could allow an attacker to elevate privileges, change phone configurations, disclose sensitive information, or load unsigned software. These three vulnerabilities are classified as two privilege escalation vulnerabilities and one signature bypass vulnerability.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities.

Cisco Unified IP Phones 7900 Series devices are affected by two privilege escalation vulnerabilities and a signature bypass vulnerability. The following sections provide the details of each vulnerability addressed in this security advisory.

Privilege Escalation Vulnerabilities

Cisco Unified IP Phones 7900 Series devices are affected by two privilege escalation vulnerabilities that could allow an authenticated attacker to make unauthorized phone configuration changes or obtain potentially sensitive information.

These vulnerabilities are documented in Cisco bug IDs CSCtf07426 ( registered customers only) and CSCtn65815 ( registered customers only) and have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603 respectively.

Signature Verification Bypass Vulnerability

Cisco Unified IP Phones 7900 Series devices are affected by a signature verification bypass vulnerability that could allow an authenticated attacker to load a software image without verification of its signature.

Successful exploitation of the two privilege escalation vulnerabilities could allow an authenticated attacker to change phone configuration and obtain system information.

Successful exploitation of the signature verification bypass vulnerability that could allow an authenticated attacker to load and execute a software image without verification of its signature.

CVE Information:
CVE-2011-1602
CVE-2011-1603
CVE-2011-1637

Disclosure Timeline:
Revision 1.0 2011-June-01 Initial public release.’

Categories: News