Cisco Unified IP Phone 8945 Crafted PNG Image Lockup Vulnerability

A vulnerability in PNG image processing of the Cisco Unified IP Phone 8945 running software version 9.3(2) could allow an unauthenticated, remote attacker to cause the phone to lock up.

The vulnerability is due to incorrect processing of malformed PNG images. An attacker could exploit this vulnerability by placing a malicious PNG image on the HTTP Server from which the phone requests XML files. A successful exploit could allow the attacker to cause the phone to lock up.

Cisco has confirmed the vulnerability in a security notice and software updates are available.

To exploit this vulnerability, it is likely that an attacker would need access to trusted, internal networks and access to the HTTP server on the network that serves resources to an affected device. These access requirements limits the likelihood of a successful exploit.