J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Cisco Unified IP Phone SCCP and SIP Protocol Multiple Remote Vulnerabilities

Severity: CRITICAL

Description:

Cisco Unified IP phone is voice over IP (VoIP) phone.

Cisco Unified IP phone is prone to multiple remote vulnerabilities:

- A buffer-overflow overflow vulnerability affects phones running the Skinny Client Control Protocol (SCCP) firmware. This issue occurs when parsing DNS responses. An attacker can exploit this issue by sending a specially crafted DNS request via TCP/UDP port 53 to the affected devices. This issue affects Cisco Unified IP Phones 7940, 7940G, 7960, and 7960 running SCCP firmware prior to 8.0(8) and SIP firmware prior to 8.8(0). This vulnerability is being tracked by CVE-2008-0530 and Cisco Bug IDs CSCsj74818 and CSCsk21863.

- A buffer-overflow vulnerability affects phones running the SIP firmware. This issue occurs when handling Multipurpose Internet Mail Extensions (MIME-encoded) data. An attacker can exploit the issue by sending a specially crafted SIP message to the affected devices via TCP/UDP port 5060. This issue affects Cisco Unified IP Phones 7940, 7940G, 7960, and 7960G running SIP firmware prior to 8.8(0). The vulnerability is being tracked by CVE-2008-0528 and Cisco Bug ID CSCsj74786.

- A buffer-overflow vulnerability affects phones running the SIP firmware. This issue affects the device's internal telnet server. Specifically, the device fails to handle specially crafted commands it receives. Attackers can exploit this issue by constructing and sending a specially crafted command via TCP port 23. This issue affects Cisco Unified IP Phones 7940, 7940G, 7960, and 7960G running SIP firmware prior to 8.8(0). This vulnerability is being tracked by CVE-2008-0529 and Cisco Bug ID CSCsj78359.

- A heap-based buffer-overflow vulnerability affects phones running the SIP firmware. This issue occurs when handling challenge/response messages from a SIP proxy. If an attacker acts as a 'man in the middle' or controls the SIP proxy that the phone is registered to or attempts to register, the attacker can send malicious challenge/response messages. This issue affects Cisco IP Phones 7940, 7940G, 7960, and 7960G running firmware prior to 8.8(0). This vulnerability is being tracked by CVE-2008-0528 and Cisco Bug ID CSCsj74786.

- A denial-of-service vulnerability affects phones running the SCCP protocol. This issue occurs when handling Large ICMP echo requests. Attackers can exploit this issue by constructing and sending a large ICMP echo request to the affected devices. This issue affects Cisco Unified IP phones 7950, 7940G, 7960, and 7960G running SSCP firmware prior to 8.0(6). The vulnerability is being tracked by CVE-2008-0526 and Cisco Bug ID CSCsh71110.

- A denial-of-service vulnerability affects phones running the SCCP protocol. This issue occurs when handling the internal HTTP server. An attacker can exploit this issue by sending a specially crafted HTTP request via TCP Port 80 to the affected devices. Successfully exploiting this will cause affected devices to reboot. This issue affects Cisco Unified IP Phone 7935 running firmware prior to 3.2(17) and 7936 running firmware prior to 3.3(15). The vulnerability is being tracked by CVE-2008-0527 and Cisco Bug ID CSCsk20026,

An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users.

Affected Products:

  • Cisco Unified IP Phone 7935
  • Cisco Unified IP Phone 7936
  • Cisco Unified IP Phone 7940
  • Cisco Unified IP Phone 7940G
  • Cisco Unified IP Phone 7960
  • Cisco Unified IP Phone 7960G

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.