Cisco IP Phone Session Initiation Protocol Denial of Service Vulnerability

Cisco 7940 and 7960 IP Phones with firmware versions 8.6 and prior contain a vulnerability when handling a series of SIP messages that could allow an attacker on the Voice VLAN to cause the phone to fail and restart.

This vulnerability exists due to insufficient handling of certain sets of malformed SIP messages that are sent to affected devices. An unauthenticated, remote attacker with access to the voice VLAN could exploit this vulnerability by sending a series of malicious SIP messages to an affected device. When a device processes these messages, the device may fail and restart. An exploit could result in a denial of service condition.

Exploit code is available.

Cisco confirmed this vulnerability, and updated software is available.

To exploit this vulnerability, an attacker must have access to networks where the affected devices are located. Depending on site configuration, IP phones could reside on separate physical or logical networks. An exploit could allow the attacker to render an affected device unavailable, which may result in a denial of service condition. However, an attacker could not gain access to confidential information or gain any additional privileges as a result of a successful attack.

This vulnerability appears to be a state management bug. When the affected devices respond to a specific sequence of SIP messages, the phone may corrupt its state table, which could result in a crash that triggers a reboot of the device.

Cisco 7940 and 7960 IP phones running firmware version 8.7 are not affected by this vulnerability, as this version contains the correction.