A critical vulnerability in the firmware of Cisco small business phones lets an unauthenticated attacker to remotely eavesdrop on private conversation and make phone calls from vulnerable devices without needing to authenticate, Cisco warned.
LISTEN AND MAKE PHONE CALLS REMOTELY
The vulnerability (CVE-2015-0670) actually resides in the default configuration of certain Cisco IP phones is due to βimproper authenticationβ, which allows hackers to remotely eavesdrop on the affected devices by sending specially crafted XML request.
Moreover, the vulnerability could be exploited by hackers to make phone calls remotely from the vulnerable phones as well as to carry out other attacks by making use of the information gathered through the audio interception activity.
AFFECTED DEVICES
The devices affects the Ciscoβs small business _SPA300 _and _SPA500 _Internet Protocol (IP) phones running firmware version 7.5.5, however, Cisco alerts that later versions of these device may also be affected by the flaw.
Itβs likely that some phones have been configured to be accessible from the Internet, so it would be very easy for hackers to locate the vulnerable devices that run on vulnerable software versions by using the popular Shodan search engine.
> βTo exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device,β the Cisco advisory says. βThis access requirement may reduce the likelihood of a successful exploit.β
Cisco has confirmed the issue, which was discovered and reported by Chris Watts, a researcher at Tech Analysis in Australia, along with two other flaws β an XSS vulnerability (CVE-2014-3313) and a local code execution vulnerability (CVE-2014-3312).
VULNERABILITY UNPATCHED, YET SOME RECOMMENDATIONS
The company hasnβt patched the problem yet and is working on a new version of the firmware to fix the issue, although the company offers some recommendations in order to mitigate the risk: