Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco IP Phone 7960 Has Mulitple Flaws That Let Remote Users Gain Full Control of the Phone
|
|
SecurityTracker Alert ID: 1005263 |
|
SecurityTracker URL: http://securitytracker.com/id/1005263
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 20 2002
|
Impact:
Root access via network
|
Exploit Included: Yes
|
Version(s): Model 7960
|
Description:
Several vulnerabilities were reported in the Cisco 7960 IP Phone. A remote user can gain complete control over the phone, modify its settings, hijack calls, and make calls.
The Sys-Security Group released a paper outlining multiple flaws in the IP phone.
According to the report, the phone's use of TFTP introduces many weaknesses. Because the TFTP protocol does not provide for authentication, a remote user can retrieve phone configuration files from the TFTP server and subvert all IP Phones on the target user's network.
For example, the 'SIPDefault.cnf' file may contain the 'phone_password' parameter used to grant telnet access to the phone. Apparently, all phones are likely to have the same telnet password. Some may also use the default password of 'cisco'. Then, the remote user can download the phone-specific configuration file from the TFTP server. Or, the remote user can telnet to the IP Phone.
In the phone-specific configuration file, the remote user can view the 'linex_authname' and 'linex_password' credentials used to authenticated to the IP telephone network. This allows the remote user to perform toll fraud, hijack phone calls, and perform other misdeed on the telephony network.
Also, the firmware image is reportedly downloaded and installed without authentication, allowing a remote user with write access to the TFTP server to modify the image. An image could also possibly be modified during download.
It is reported that these vulnerabilities exist in any environment, including that recommended by Cisco for large-scale deployments.
The paper is available (in Adobe Acrobat PDF format) at:
http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromise.pdf
|
Impact:
A remote user can gain complete control over the phone.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.cisco.com/warp/public/cc/pd/tlhw/ (Links to External Site)
|
Cause:
Access control error, Authentication error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 19 Sep 2002 12:22:32 +0100
Subject: The Trivial Cisco IP Phones Compromise
|
Dear all,
The referred paper lists several severe vulnerabilities with Cisco
systems' SIP-based IP Phone 7960 and its supporting environment. These
vulnerabilities lead to: complete control of a user's credentials; total
subversion of a user's settings for the IP Telephony network, and the
ability to subvert the entire IP Telephony environment. Malicious access
to a user's credentials could enable "Call Hijacking", "Registration
Hijacking", "Call Tracking", and other voice related attacks. The
vulnerabilities exist with any deployment scenario, but this paper deals
specifically with large scale deployments as recommended by Cisco.
A PDF version of the paper is available from:
http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_C
ompromise.pdf
A PDF Zipped version of the paper is available from:
http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_C
ompromise.zip
I would like to thank Josh Anderson for the help lent me during the
development of the paper.
Yours,
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
|
|
Go to the Top of This SecurityTracker Archive Page
|
