Cisco: Critical gaps in IP phones - no updates available
There will be no updates for critical gaps in Cisco IP phones. A proof-of-concept exploit has emerged for a recently reported vulnerability.
Vulnerabilities threaten Cisco devices.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Cisco has published security warnings for certain IP phones. Attackers can execute commands on them or paralyze them with DoS attacks. The company also warns of cross-site scripting vulnerabilities in Cisco's ISE. A proof-of-concept exploit has now also emerged for a recently reported vulnerability.
Old Cisco IP phones remain vulnerable
Three vulnerabilities classified as critical allow attackers to inject arbitrary commands into the web interface of the SPA300 and SPA500 series of Cisco IP phones (CVE-2024-20450, CVE-2024-20452, CVE-2024-20454; CVSS 9.8, risk"critical"). In addition, two further gaps in the web interface allow the devices to be paralyzed by means of a DoS attack (CVE-2024-20451, CVE-2024-20453; CVSS 7.5, high).
Anyone using these devices should recycle them quickly, as Cisco writes in the security notice that there is no workaround - and no updated software to close the gaps. The products have therefore reached the end of their life cycle.
A critical vulnerability in Cisco's Smart Software Manager On-Prem (SSM On-Prem) became known in mid-July. Attackers can change passwords of user accounts - including the administrator account - without prior authentication and thus compromise the systems (CVE-2024-20419, CVSS 10, critical). Cisco has now updated the security advisory: There is at least one proof-of-concept exploit that demonstrates exploitation of the vulnerability. It is therefore to be expected that cybercriminals will include this attack in their toolkit and attack it in the wild in the near future. IT managers should install the available updates now at the latest.
In the Cisco Identity Services Engine (ISE), authenticated attackers can also launch remote cross-site scripting attacks against users of the web-based management interface (CVE-2024-20443, CVSS 5.4, medium; CVE-2024-20479, CVSS 4.8, medium). This allows them to execute arbitrary script code in the context of the management interface or access sensitive information. The first vulnerability requires low user rights for attackers, while the second requires admin rights. According to the Cisco security announcement, IT managers must update Cisco ISEs versions 2.7 and 3.0 to a supported software version. Updates are also available for the vulnerable versions 3.1, 3.2 and 3.3 (for 3.2 only in September), 3.4 is not affected.
(dmk)
