AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:W/RC:C
-
Cisco Unified IP Phone devices contain a vulnerability that could allow an authenticated, remote attacker to eavesdrop on ongoing conversations around an affected device, potentially resulting in a disclosure of sensitive information.
The vulnerability exists due to insecure handling of the Extension Mobility feature. An authenticated, remote attacker could exploit this vulnerability by configuring an affected device to send out a continuous Real Time Protocol (RTP) stream to an attacker-controlled location. This ongoing transmission could allow the attacker to monitor conversations that are happening in the physical space around the affected device.
Cisco has confirmed this vulnerability in a security response; however, updates are not available.
To exploit this vulnerability, an attacker must possess Extension Mobility credentials that are sufficient to allow authentication to the affected device. Only devices with the Extension Mobility feature enabled, along with the built-in web service, are vulnerable to an attack. Additionally, attackers can only attack Extension Mobility-enabled phones that a user is not logged in to. A successful exploit could allow the attacker to eavesdrop on ongoing conversations taking place around the device.
When an affected device is exploited, the phone exhibits visual signs that indicate that something is amiss. An exploited device will illuminate the speakerphone button, and devices with LCD displays will show an off hook indication. These factors along with the attacker requiring access to the VoIP network or VLAN significantly reduce the likelihood of an attack.
-
Cisco has released a security advisory at the following link: cisco-sr-20071128-phone
-
Administrators are advised to apply updates as they become available.
Administrators are advised to follow VoIP telephony best practices when configuring the voice network.
Administrators are advised to utilize a dedicated VLAN for all VoIP traffic.
Administrators are advised to enforce 802.11x authentication for affected devices.
Administrators are advised to utilize ACLs to restrict access to the web servers of affected devices.
Administrators may consider hard setting MAC addresses on access layer switch ports to prevent unauthorized access.
Administrators may consider disabling the built-in web service on affected devices.
Administrators may consider disabling the Extension Mobility feature.
Administrators may consider disabling the speakerphone and headset functionality on affected devices.
-
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2007-Nov-28
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.