Cisco Small Business IP phones vulnerable to eavesdropping

Cisco has confirmed the existence of a flaw affecting its Small Business SPA 300 and 500 series IP phones that can be exploited by attackers to listen to the audio stream of the phones.

Software updates that solve the flaw are not available, but according to information received by ITNews, a patch will be released “soon.”

“The vulnerability (CVE-2015-0670) is due to improper authentication settings in the default configuration. An attacker could exploit this vulnerability by sending a crafted XML request to the affected device,” the company explained in a security advisory. “An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely. A successful exploit could be used to conduct further attacks.”

The flaw affects version 7.5.5 of the firmware, and likely previous ones, as well. The good news is that the vulnerability isn’t easily exploitable.

“To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” they noted.

Until a patch is released, administrators can mitigate the danger by enabling XML Execution authentication in the configuration settings of affected devices, and allow only trusted users to have network access.

The flaw has been discovered and reported by researcher Chris Watts of Tech Analysis, who also found and reported two other flaws affecting the same series of phones in July 2014: a XSS vulnerability (CVE-2014-3313) and a local code execution vulnerability (CVE-2014-3312).

While software updates for the first have been released, the second one still hasn’t been patched, even though a successful exploit could result in a complete system compromise.