Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA28935] Cisco Unified IP Phone Multiple Vulnerabilities
>
> TITLE:
> Cisco Unified IP Phone Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA28935
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/28935/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> DoS, System access
>
> WHERE:
> From remote
>
> OPERATING SYSTEM:
> Cisco Unified IP Phones 7900 Series
> http://secunia.com/product/13543/
>
> SOFTWARE:
> Cisco IP Phone 7940
> http://secunia.com/product/1113/
> Cisco IP Phones 7960
> http://secunia.com/product/287/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in Cisco Unified IP Phone
> models, which can be exploited by malicious users to compromise a
> vulnerable device or by malicious people to cause a DoS (Denial of
> Service) and compromise a vulnerable device.
>
> 1) A boundary error within the internal SSH server can be exploited
> to cause a buffer overflow via a specially crafted packet sent to
> default port 22/TCP.
>
> 2) A boundary error in the parsing of DNS responses can be exploited
> to cause a buffer overflow.
>
> 3) A boundary error in the handling of MIME encoded data can be
> exploited to cause a buffer overflow via a specially crafted SIP
> message.
>
> Successful exploitation of the vulnerabilities may allow execution of
> arbitrary code.
>
> 4) A boundary error within the internal telnet server can be
> exploited to cause a buffer overflow via a specially crafted
> command.
>
> Successful exploitation may allow execution of arbitrary code but
> requires that the telnet server is enabled (not enabled by default).
>
> 5) A boundary error in the handling of challenge/response messages
> from an SIP proxy can be exploited to cause a heap-based buffer
> overflow.
>
> Successful exploitation may allow execution of arbitrary code but
> requires e.g. control of a SIP proxy.
>
> 6) An error in the handling of ICMP echo request packets can be
> exploited to cause a device to reboot via an overly large ICMP echo
> request packet.
>
> 7) An error within the internal HTTP server when handling HTTP
> requests can be exploited to cause the device to reboot via a
> specially crafted HTTP request.
>
> The vulnerabilities affect one or more of the following devices
> running SCCP and SIP firmwares (please see the vendor's advisory for
> more information):
>
> Cisco Unified IP Phone devices running SCCP firmware:
> * 7906G
> * 7911G
> * 7935
> * 7936
> * 7940
> * 7940G
> * 7941G
> * 7960
> * 7960G
> * 7961G
> * 7970G
> * 7971G
>
> Cisco Unified IP Phone devices running SIP firmware:
> * 7940
> * 7940G
> * 7960
> * 7960G
>
> SOLUTION:
> Update to the latest firmware versions (see vendor's advisory for
> details).
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Reported by the vendor
> 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science,
> Georgia Institute of Technology
> 6) Reported by a Cisco customer
> 7) Sven Weizenegger, T-Systems
>
> ORIGINAL ADVISORY:
> http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
>
|
