Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HÄCKING CISCO PHONES! 2

Status
Not open for further replies.
Let's see what Cisco have to say about this...

[URL unfurl="true" said:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone[/URL]]
Several models in the CiscoUnified IP Phones 7900 Series contain an input validation vulnerability that could allow a local, authenticated attacker to manipulate arbitrary areas of memory within the device. This is due to a failure to properly validate user-supplied parameters that are passed to kernel system calls. Multiple access vectors have been identified whereby an attacker could gain local access to the device. An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device, or remotely by first authenticating to the device via SSH. After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default.

Public Demonstrations

This issue has been publicly demonstrated at several venues. In each demonstration, the devices that are used appear to be unprovisioned phones running an affected version of the Cisco Unified IP Phone software. The demonstrations use a physical attack vector to compromise the phone via a local serial port to place a modified binary on the device, which could then be used to manipulate arbitrary regions of kernel memory by exploiting this issue.

In the demonstrations, the handset microphone is enabled while the handset is in the on-hook position (handset in the cradle). The high-gain area microphones on the TNP devices are electrically connected to the speakerphone active indicator and cannot be bypassed through software manipulation. On the 79x1 Series devices, the handset microphone is controlled by software and the General Purpose Input/Output (GPIO) channels on the audio codec, which allows the microphone to be activated and the display indicators on the handset to be bypassed.

The 79x2 and 79x5 Series devices are designed to provide additional protections by electrically connecting the handset microphone to the off-hook switch, which prevents the microphone from being activated without any indication.

My emaphasis
...
An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device
In other words, you need to get to the handset to use this method of compromise. Physical security methods should remediate this

or remotely by first authenticating to the device via SSH.
Hmm a bit more of a concern - but first you have to connect to the device. Traditional firewall/NAT/network security should prevent any external access to this device. Then you have to authenticate.

After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default
So after the phone is provisioned by the phone system access to the vulnerability is not accessible through SSH!


All in all, interesting exploit, the threat is real, but easily mitigated by security that shoudl be in place anyway.
Oh an Cisco have issued a firmware fix - I guess a sales opportunity to fimrware upgrade the handsets.



In short, VOIP does present extra vectors for attack, but most of these vectors are relatively easily to protect against, using established network security techniques.
Frankly, most of this thread is FUD

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top