Cisco fixed a critical command injection bug in IP Phone Series

Cisco
addressed
a
critical
vulnerability,
tracked
as
CVE-2023-20078,
impacting
its
IP
Phone
6800,
7800,
7900,
and
8800
Series
products.

Cisco
released
security
updates
to
address a
critical
flaw
impacting
its
IP
Phone
6800,
7800,
7900,
and
8800
Series
products.

The
flaw,
tracked
as
CVE-2023-20078
(rated
9.8
out
of
10),
is
a
command
injection
issue
that
resides
in
the
web-based
management
interface.
The
vulnerability
is
caused
by
the
insufficient
validation
of
user-supplied
input.

An
unauthenticated,
remote
attacker
can
exploit
the
vulnerability
to
execute
arbitrary
commands
with
the
highest
privileges
on
the
underlying
operating
system.

“A
vulnerability
in
the
web-based
management
interface
of
Cisco
IP
Phone
6800,
7800,
and
8800
Series
Multiplatform
Phones
could
allow
an
unauthenticated,
remote
attacker
to
inject
arbitrary
commands
that
are
executed
with root privileges.”

reads
the
advisory.
“This
vulnerability
is
due
to
insufficient
validation
of
user-supplied
input.
An
attacker
could
exploit
this
vulnerability
by
sending
a
crafted
request
to
the
web-based
management
interface.
A
successful
exploit
could
allow
the
attacker
to
execute
arbitrary
commands
on
the
underlying
operating
system
of
an
affected
device.”

The
IT
giant
also
addressed
a
high-severity
denial-of-service
(DoS)
vulnerability,
tracked
as
CVE-2023-20079
(CVSS
score:
7.5),
impacting
the
same
IP
Phone
series
products.

The
issue
also
impacts
the
Cisco
Unified
IP
Conference
Phone
8831
and
Unified
IP
Phone
7900
Series.

“A
vulnerability
in
the
web-based
management
interface
of
Cisco
IP
Phone
6800,
7800,
and
8800
Series
Multiplatform
Phones,
as
well
as
Cisco
Unified
IP
Conference
Phone
8831
and
Unified
IP
Phone
7900
Series
Phones,
could
allow
an
unauthenticated,
remote
attacker
to
cause
an
affected
device
to
reload,
resulting
in
a
denial
of
service
(DoS)
condition.”
reads
the
advisory.

The
root
cause
of
the
vulnerability
is
the
insufficient
validation
of
user-supplied
input
in
the
web-based
management
interface.

To
fix
CVE-2023-20078,
Cisco
recommends
migrating
Cisco
Multiplatform
Firmware
version
earlier
than
11.3.7SR1
to
a
fixed
release.

The
company
will
not
release
updates
to
fix
CVE-2023-20079
in
Unified
IP
Conference
Phone
models
because
they
entered
end-of-life
(EoL).

“Cisco
has
not
released
and
will
not
release
software
updates
to
address
the
vulnerabilities
that
are
described
in
CVE-2023-20079.
Cisco
Unified
IP
Phone
7900
Series
and
Cisco
Unified
IP
Conference
Phone
8831
have
entered
the
end-of-life
process.
Customers
are
advised
to
refer
to
the
end-of-life
notices
for
these
products:”
concludes
the
advisory.

The
good
news
is
that
the
Cisco
PSIRT
is
not
aware
of
any
malicious
exploitation
attempts
targeting
the
vulnerabilities.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
IP
Phone)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts