====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN065
_____________________________________________________________________

DATE                : 06/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running IP Conference Phone software.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos
_____________________________________________________________________

Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability

High
Advisory ID:        cisco-sa-20200205-voip-phones-rce-dos
First Published:    2020 February 5 16:00 GMT
Version 1.0:        Final
Workarounds:        No workarounds available
Cisco Bug IDs:      CSCvr96057
                    CSCvr96058
                    CSCvr96059
CVSS Score:         Base 8.8

CVE-2020-3111
CWE-20


Summary


    A vulnerability in the Cisco Discovery Protocol implementation for
the Cisco IP Phone could allow an unauthenticated, adjacent attacker to
remotely execute code with root privileges or cause a reload of an
affected IP phone.

    The vulnerability is due to missing checks when processing Cisco
Discovery Protocol messages. An attacker could exploit this
vulnerability by sending a crafted Cisco Discovery Protocol packet to
the targeted IP phone. A successful exploit could allow the attacker to
remotely execute code with root privileges or cause a reload of an
affected IP phone, resulting in a denial of service (DoS) condition.

    Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit
this vulnerability, an attacker must be in the same broadcast domain as
the affected device (Layer 2 adjacent).

    Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos


Affected Products

    Vulnerable Products

    This vulnerability affects the following Cisco IP phones with Cisco
      Discovery Protocol enabled1 and running a vulnerable firmware
      release:
        IP Conference Phone 7832
        IP Conference Phone 7832 with Multiplatform Firmware
        IP Conference Phone 8832
        IP Conference Phone 8832 with Multiplatform Firmware
        IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform
          Firmware
        IP Phone 7811, 7821, 7841, 7861 Desktop Phones
        IP Phone 7811, 7821, 7841, 7861 Desktop Phones with
          Multiplatform Firmware
        IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones
        IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with
          Multiplatform Firmware
        Unified IP Conference Phone 8831
        Unified IP Conference Phone 8831 for Third-Party Call Control
        Wireless IP Phone 8821, 8821-EX
    1Cisco Discovery Protocol is enabled by default on most IP Phone models.

    For information about which software releases are vulnerable, see
    the Fixed Software section of this advisory.


    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
    advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the
    following Cisco products:
        IP DECT 6825 with Multiplatform Firmware
        SPA112 2-Port Phone Adapter
        SPA122 ATA with Router
        SPA2102 Phone Adapter with Router
        SPA232D Multi-Line DECT ATA
        Small Business SPA300 Series IP Phones
        Small Business SPA500 Series IP Phones
        SPA3102 Voice Gateway with Router
        SPA8000 8-port IP Telephony Gateway
        SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports


Workarounds

    There are no workarounds that address this vulnerability.


Fixed Software

    Cisco has released free software updates that address the
vulnerability described in this advisory. Customers may only install
and expect support for software versions and feature sets for which
they have purchased a license. By installing, downloading, accessing,
or otherwise using such software upgrades, customers agree to follow
the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly, or through a Cisco
authorized reseller or partner. In most cases this will be a maintenance
upgrade to software that was previously purchased. Free security
software updates do not entitle customers to a new software license,
additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to
regularly consult the advisories for Cisco products, which are available
from the Cisco Security Advisories and Alerts page, to determine
exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be
upgraded contain sufficient memory and confirm that current hardware
and software configurations will continue to be supported properly by
the new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.


    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco TAC:

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of entitlement
to a free upgrade.


    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed firmware
release as indicated in the following table:


    Cisco IP Phone Model          Cisco Bug ID      First Fixed Release
    IP Conference Phone 7832      CSCvr96069 	    12.7(1)
    IP Conference Phone 7832 with Multiplatform Firmware     CSCvr96060
    	11.3(1)SR1
    IP Conference Phone 8832      CSCvr96071        12.7(1)
    IP Conference Phone 8832 with Multiplatform Firmware  CSCvr96064   	
          11.3(1)SR1
    IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware 	
            CSCvr96065, CSCvr96067      11.3(1)SR1
    IP Phone 7811, 7821, 7841, 7861 Desktop Phones   CSCvr96739  12.7(1)
    IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform
     Firmware       CSCvr96063      11.3(1)SR1
    IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones 	
     CSCvr96066, CSCvr96069 	12.7(1)
    IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with
     Multiplatform Firmware 	CSCvr96058, CSCvr96059    11.3(1)SR1
    Unified IP Conference Phone 8831  	CSCvr96738  	10.3(1)SR6
      (Targeted for March 2020)
    Unified IP Conference Phone 8831 for Third-Party Call Control  	
     CSCvr96057  	There is no fixed firmware available at this
     time.
    Wireless IP Phone 8821 and 8821-EX      CSCvr96070     11.0(5)SR2

    To download the Cisco IP Phone firmware from the Software Center on
     Cisco.com, do the following:
        Click Browse all.
        Choose Collaboration Endpoints > IP Phones.
        Choose a specific product from the right pane of the product
          selector.
        Choose a release from the left pane of the product page.


Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is aware
of public announcements about this vulnerability. Cisco PSIRT is not
aware of any malicious use of the vulnerability that is described in
this advisory.

Source

    Cisco would like to thank Ben Seri, VP of Research at Armis, for
finding and reporting this vulnerability.

URL


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos


Revision History

Version 	Description 	Section 	Status 	Date
1.0 	Initial public release. 	— 	Final 	2020-February-05


Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that
omits the distribution URL is an uncontrolled copy and may lack
important information or contain factual errors. The information in
this document is intended for end users of Cisco products.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================