News: 1723163415

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now's the time to junk 'em

(2024/08/09)


A boffin from British defence contractor BAE has found three critical flaws in Cisco's Small Business SPA300 and SPA500 IP phones – and another couple of nasties – none of which will be fixed or mitigated.

In an [1]advisory published Wednesday, Cisco explained the three most serious flaws – all rated CVSS 9.8 out of 10 – affect the web-based management interface of the devices and could allow an unauthenticated remote attacker gain root privileges to hijack and meddle with the equipment.

The three worst vulnerabilities – CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 – stem from the fact that the software doesn't handle incoming HTTP requests safely enough. An attacker could therefore send a crafted HTTP request to one of the phones, causing a buffer overflow and making it possible to execute arbitrary commands – with the aforementioned root privileges.

[2]

The other two flaws – CVE-2024-20451 and CVE-2024-20453 – are less serious and earn only a CVSS score of 7.8 thanks to their limited scope. Cisco reports these are also related to issues in HTTP checking mechanisms, but don't allow code execution. They do, however, offer a chance to take down the phones with a denial of service attack.

[3]

[4]

"Cisco has not released and will not release software updates to address the vulnerabilities that are described in this advisory," Switchzilla wrote in its alert. "Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones have entered the end-of-life process."

[5]If you're using older, vulnerable Cisco small biz routers, throw them out

[6]Dump these insecure phone adapters because we're not fixing them, says Cisco

[7]Thousands of Juniper Networks devices vulnerable to critical RCE bug

[8]Windows CE reaches end of life, if not end of sales

Cisco formally [9]stopped shipping fixes for SPA300 handsets in 2020 and ended all support for the devices in February 2024. The last date on which owners of the SPA500 can renew service contracts is August 27, 2024, with obsolescence scheduled for May 31, 2025.

After that date, Cisco won't help – a stance it's also taken with [10]phone adapters and [11]routers it deems are so ancient customers need to acquire replacements.

Products like desktop phones, however, are often assumed to just keep on working forever – because they're just phones – so customers don't think of replacing them the way they do other tech. Plenty of orgs are going to have to either buy new kit or hope attackers don't figure out how to craft and dispatch a packet that crashes their handsets. The good news is Cisco advises it's not aware of any exploits in the wild. Yet.

[12]

The vulnerabilities were reportedly found by someone Cisco identified as "Aidan of BAE Systems Digital Intelligence," without providing a surname. We’ve found at least two people with that name in the infosec division of the British multinational. BAE had no comment at the time of publication. ®

Get our [13]Tech Resources



[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrWUZ3WlSz1sq7b5zonL1wAAAIE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrWUZ3WlSz1sq7b5zonL1wAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrWUZ3WlSz1sq7b5zonL1wAAAIE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2022/06/16/cisco_critical_patches/

[6] https://www.theregister.com/2023/05/05/cisco_phone_adapter_vulnerabilitty/

[7] https://www.theregister.com/2024/01/15/juniper_networks_rce_flaw/

[8] https://www.theregister.com/2023/10/30/windows_ce_reaches_eol/

[9] https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/small-business-spa300-series-ip-phones/eos-eol-notice-c51-741208.html

[10] https://www.theregister.com/2023/05/05/cisco_phone_adapter_vulnerabilitty/

[11] https://www.theregister.com/2022/06/16/cisco_critical_patches/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrWUZ3WlSz1sq7b5zonL1wAAAIE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://whitepapers.theregister.com/



Phones still OK on an inside non-routable network?

cFortC

I've got three SPA525G's. I noticed back in 2022 that an "old QuoVadis certificate issue" was reported, eventually destined to brick these phones. But so far, they have continued working.

I have a question about this newly reported critical flaw in the web administration interface. My phones are all on the "inside LAN" and are presumably protected by hackers on the WAN by my IP gateway router which prevents incoming connection requests, performs NAT, and so on.

Do I still need to be worried about this attack vector?

Re: Phones still OK on an inside non-routable network?

diodesign

Yeah, if no one untrusted can reach the web interface of the devices, they can't exploit it. If someone malicious is on your network and can reach them, then they can attack.

As for if you should worry about it, I think it comes down to this: If there's an intruder or malicious user in your network, are you going to worry about the phones as a priority or whatever else they could do first? You might find a rogue insider or compromised machine has other goals than screwing with your phones.

I guess a particularly nasty intruder might seek to exfiltrate data or run some malware, and then to hamper your efforts to fix things, attack the phones.

But another point: The attacker would have to craft a buffer overflow exploit, which is fiddly, or just crash them with a more trivial exploit. It depends on how much pain someone wants to cause you.

C.

Re: Phones still OK on an inside non-routable network?

david 12

Phones like this, particularly the very old models on very early VOIP networks, were sometimes directly connected to public networks, or even Very Large private networks. When you've got thousands of phones on your network, the line between 'public' and 'private' becomes blurred. If you're not in that category, it's more another irritating "out of support" factor which makes your phones non-upgradable and with zero value on re-sale.

what's the point of the support contract?

Henry Wertz 1

So what's the point of the support contract? So the SPA300 is EOL,. Why would ANYBODY pay a penny for support for the SPA500 (through 2025) if they already say they are not patching critical security vulnerabilities on it? If they aren't doing that they aren't supporting it.

Anonymous Coward

It's a desk phone.

First, Cisco's behavior should not be legal. Desk phones last for DECADES. The only reason a phone should be "out of support" is that the company that built it went out of business.

Second, it's a phone. I've got one of these, and it's not going anywhere. I got it for free, it's hooked up to hamshack hotline, and I don't really give a shit if it gets hacked, which it won't be because it's not accessible from outside my house. I've never run an update on it, because I don't care.

Plastic... Aluminum... These are the inheritors of the Universe!
Flesh and Blood have had their day... and that day is past!
-- Green Lantern Comics