A vulnerability in the web based management interface of the Session Initiation Protocol (SIP) Software on the Cisco IP Phone 7800 Series and the Cisco IP Phone 8800 Series could allow a non-authenticated remote attacker to generate a denial of service (DoS) condition or execute arbitrary code, mentioned experts from the best ethical hacking Institute, in conjunction with specialists from the International Institute of Cyber Security.
The vulnerability exists because the software
poorly validates the input provided by the user during the authentication
process. According to reports, a hacker could exploit this flaw by connecting
to an affected device using HTTP and delivering malicious user keys.
If successful, the attacker could activate a
reload on the affected device, thereby generating a denial-of-service
condition, or could execute arbitrary code using the user privileges of the
application, said the experts from the best ethical hacking Institute. The
company has already released software updates to fix this vulnerability. Other
risk mitigation methods are not known at the time of writing.
According to the experts from the best ethical
hacking Institute, the vulnerability affects Cisco IP Phone 7800 Series and
8800 Series products, as these devices run the SIP software from earlier
versions.
On the other hand, the company has recently
confirmed that IP telephones running the known as Multiplatform Firmware are
not affected by this vulnerability.
Cisco launched updates addressing the
vulnerability mentioned above. Customers only need to install patches and wait
for support for the versions according to their licenses. Cisco recommends not implementing
temporary solutions or workarounds, since so far no functional solution is
known that is not the one that the company will provide.
The company also recommends that users ensure
that their systems are ready to receive the corresponding update, especially
corroborating that there is sufficient space in the memory of the devices.
