Cisco 9900 Series Phone webapp Buffer Overflow Vulnerability

2013-10-1115:04:05

tools.cisco.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS

0.004

Percentile

74.2%

JSON

A vulnerability in the web application interface of Cisco 9900 series IP phones could allow an unauthenticated, remote attacker to cause the webapp interface to become unavailable.

The vulnerability is due to insufficient input validation of certain fields. An attacker could exploit this vulnerability by overflowing certain input fields. This could allow the attacker to render the webapp interface of the Cisco 9900 series IP phone unavailable.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker may need access to trusted, internal networks to submit crafted input to a targeted device. This access requirement limits the likelihood of a successful attack.

Affected configurations

Vulners

Node

ciscounified_ip_phones_9900_series_firmwareMatchany

ciscounified_ip_phones_9951_firmwareMatch9900_series_firmware

VendorProductVersionCPE
ciscounified_ip_phones_9900_series_firmwareanycpe:2.3:o:cisco:unified_ip_phones_9900_series_firmware:any:*:*:*:*:*:*:*
ciscounified_ip_phones_9951_firmware9900_series_firmwarecpe:2.3:o:cisco:unified_ip_phones_9951_firmware:9900_series_firmware:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_ip_phones_9900_series_firmware	any	cpe:2.3:o:cisco:unified_ip_phones_9900_series_firmware:any:::::::*
cisco	unified_ip_phones_9951_firmware	9900_series_firmware	cpe:2.3:o:cisco:unified_ip_phones_9951_firmware:9900_series_firmware:::::::*