Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack

Mar 02, 2023Ravie LakshmananEnterprise Security / Network Security

Cisco on Wednesday rolled out security updates^[1]
to address a critical flaw impacting its IP Phone 6800, 7800, 7900,
and 8800 Series products.

The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out
of 10 on the CVSS scoring system and is described as a command
injection bug in the web-based management interface arising due to
insufficient validation of user-supplied input.

Successful exploitation of the bug could allow an
unauthenticated, remote attacker to inject arbitrary commands that
are executed with the highest privileges on the underlying
operating system.

“An attacker could exploit this vulnerability by sending a
crafted request to the web-based management interface,” Cisco
said^[2]
in an alert published on March 1, 2023.

Also patched by the company is a high-severity denial-of-service
(DoS) vulnerability affecting the same set of devices, as well as
the Cisco Unified IP Conference Phone 8831 and Unified IP Phone
7900 Series.

CVE-2023-20079 (CVSS score: 7.5), also a result of insufficient
validation of user-supplied input in the web-based management
interface, could be abused by an adversary to cause a DoS
condition.

While Cisco has released Cisco Multiplatform Firmware version
11.3.7SR1 to resolve CVE-2023-20078, the company said it does not
plan to fix CVE-2023-20079, as both the Unified IP Conference Phone
models have entered end-of-life (EoL).

The company said it’s not aware of any malicious exploitation
attempts targeting the flaw. It also said the flaws were discovered
during internal security testing.

The advisory comes as Aruba Networks, a subsidiary of Hewlett
Packard Enterprise, released an update to ArubaOS to remediate^[3]
multiple unauthenticated command injection and stack-based buffer
overflow flaws (from CVE-2023-22747 through CVE-2023-22752, CVSS
scores: 9.8) that could result in code execution.