Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.

This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.

Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860[“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuc83860”] (registered[“https://sec.cloudapps.cisco.comRPF/register/register.do”] customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device.

Mitigations are available to help reduce the attack surface of affected devices. See the “Details” section of this security advisory and the accompanying Cisco Applied Mitigation Bulletin (AMB) for additional information.

Update (November 3rd, 2014):

Updated software that resolves the vulnerability described in this document has been released. This release is generally available and can be downloaded from the product-specific support areas on Cisco.com. The release version is 9.4(2).

This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone”]