Cisco Systems issued an alert on Wednesday that the security of its IP-based phones could be compromised, allowing hackers to get around the security restrictions and change settings or issue a Denial of Service (DoS)
The flaw affects two different models in Cisco’s Unified IP Conference Station line, the 7935 version 3.2(15) and 7936 version 3.3(12), and four models of its Cisco Unified IP Phone: the 7906G, 7911G, 7941G, 7961G, 7970G and 7971G. Cisco did not respond at press time with further comment beyond what was in their alert.
A flaw in the Conference Station’s administrative interface, which allows the conferencing device to be managed remotely, could allow the phone to be exploited remotely with no authentication and no user interaction.
The attack vector is through TCP port 80, the default Web port used by the HTTP interface. Because the administrator’s credentials are saved when the device is accessed remotely, a hacker could gain access as the administrator without having to enter the login credentials.
Information won’t be compromised if an admin doesn’t access the device via the HTTP interface. The device is vulnerable by the cached administrator, but Cisco said it’s possible to reset the device by powering it down and turning it back on again.
These phones also contain privilege escalation vulnerabilities that allow local, authenticated users to obtain administrative access to the phone. This vulnerability may be exploited remotely with authentication and no user interaction, and would allow a hacker to change the device configuration or launch a DoS attack.
The problem in the Unified IP phones is that they contain a default user account and password that is used for debugging purposes, but due to an implementation error, this account cannot be disabled, removed or have its password changed. This means that it’s possible for an unauthorized person to remotely access a vulnerable IP phone and take complete control of the device, causing it to become unstable and crash.
Cisco has posted an alert page where it will update customers on fixes. Cisco also said it would make a fix available for free, but did not say when it would be available.