Cisco Subnet An independent Cisco community View more

Cisco issues alert on VoIP vulnerability

Columbia research prompts security advisory; software fixes planned

Cisco has issued a security advisory on that vulnerability in its IP phones that allows hackers to access calls and call data. The vulnerability was discovered by researchers at Columbia University.

According to the advisory issued yesterday, the hole exists in Cisco's Unified IP Phone 7900 Series versions 9.3(1)SR1 and prior. The phones contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or "modify arbitrary memory with elevated privileges."

The vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace, the advisory states. It could allow an attacker to gain local access to the device using physical access or authenticated access, and execute an attacker-controlled binary to exploit it.

Columbia researchers have publicly demonstrated the vulnerability at several venues. They brought it to Cisco's attention back in November. In the demonstrations, the handset microphone is enabled while the handset is in the on-hook position and the parties on the call have no visual indication they are, or anyone else is in the call.

Cisco says mitigations are available to help reduce the attack surface of affected devices but that there is no way to mitigate the physical attack vector. The company said it will conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release to mitigate known attack vectors the week of January 21.

Cisco also said it will provide a long-term remediation of the core vulnerability. Over the next several months, the company will rewrite portions of the 7900 series firmware to "fully mitigate" the underlying root cause.

A patch initially issued for the vulnerability didn't work.

More from Cisco Subnet:

Technologies to watch 2013: Cisco products, more maturity for SDNs

Cisco IP phones buggy

Cisco uses LISP to articulate programmability

Cisco makes fourth acquisition in a month

13 events that defined Cisco's 2012

Juniper buys SDN startup for $176M

Cisco, VMware and OpenFlow fragment SDNs

Country's largest 4-year university expels Cisco, saves $100 million

CSU confirms Cisco RFP

SJSU didn't bid Cisco project

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter

Follow

 
Join the discussion
Be the first to comment on this article. Our Commenting Policies