Multiple Cisco Analog Telephone Adapters Remote Code Execution Vulnerabilities

2019-10-1616:00:00

tools.cisco.com

0.0004 Low

EPSS

Percentile

12.6%

JSON

Multiple vulnerabilities in Cisco SPA Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges.

The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.

Note: The web-based management interface is enabled by default.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce”]

Affected configurations

Vulners

Node

ciscoata_187_analog_telephone_adaptorMatchany

ciscospa112_2-port_phone_adapter_firmwareMatchany

ciscoataMatchany

ciscoata_187_analog_telephone_adaptorMatchany

ciscocisco_spa112Match2-port_phone_adapter

ciscoataMatchany

CPENameOperatorVersion
cisco ata series analog telephone adaptoreqany
cisco spa112 2-port phone adaptereqany
cisco spa122 ata with routereqany
cisco ata series analog telephone adaptoreqany
cisco spa112eq2-Port Phone Adapter
cisco spa122 ata with routereqany

Name	Operator	Version
cisco ata series analog telephone adaptor	eq	any
cisco spa112 2-port phone adapter	eq	any
cisco spa122 ata with router	eq	any
cisco ata series analog telephone adaptor	eq	any
cisco spa112	eq	2-Port Phone Adapter
cisco spa122 ata with router	eq	any