Some models of Cisco IP phones have high-severity vulnerability

Share post:

Several models of Cisco Systems’ IP phones have a high-severity vulnerability, the company has acknowledged, but a patch won’t be available until January.

Nor is there a workaround for the Cisco Discovery Protocol processing feature in the Cisco IP Phone 7800 and 8800 Series (excluding the Cisco Wireless IP Phone 8821).

What administrators can think about is disabling Cisco Discovery Protocol on affected phones. Devices will then use LLDP for discovery of configuration data such as voice VLAN, and power negotiation.

However, Cisco warns that “this is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise.”

“While this mitigation has been deployed and was proven successful in a test environment,” Cisco says, “customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.”

The vulnerability in the Cisco Discovery Protocol processing feature of the affected phones could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. The hole is due to insufficient input validation of received Cisco Discovery Protocol packets, the Cisco notice says. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.

The post Some models of Cisco IP phones have high-severity vulnerability first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways