Cisco has released another batch of fixes for a number of its products. Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations.
The critical vulnerabilities
Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821. Cisco then tested other IP phones and found several series that were affected, as well.
CVE-2020-3161 affects the web server and CVE-2016-1421 the web application for Cisco IP Phones. Both may allow an unauthenticated remote attacker to trigger a stack-based buffer overflow by sending a crafted HTTP request, which could ultimately lead to a DoS condition or may allow the attacker to execute code with root privileges.
If you’re wondering why the CVE of the latter vulnerability indicates that it was reported in 2016, it’s because it (partly) was.
“During Tenable’s original analysis, they noted the similarity of this vulnerability to [a previously discovered bug]. However, Cisco’s advisory described the vulnerability as requiring authentication, DoS only, and the Wireless IP Phone 8821 wasn’t listed on the affected list. After disclosing to Cisco, they informed Tenable that the described bug was CVE-2016-1421 and subsequently updated their disclosure,” Tenable explained.
Admins are advised to check whether the IP phones in use in their enterprise and upgrade the firmware if they are. There are no workarounds for the flaws, but exploitation risk can be mitigated by disabling web access. Web access is disabled by default on Cisco IP phones, but some enterprises might have enabled it.
Baines has published Denial of Service PoCs for both flaws on Tenable’s GitHub repository.
Cisco has also provided fixes for nine authentication bypass vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data.
Only one of these is deemed to be critical. Exploiting one or several of these can allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.
Admins are advised to upgrade to UCS Director Release 126.96.36.199 and UCS Director Express for Big Data Release 188.8.131.52 to plug the security holes.
The flaws were discovered by infosec specialist Steven Seeley of Source Incite, who promised to provide more details about the vulnerabilities soon.
The high-risk vulnerabilities
Finally, a path traversal vulnerability in Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to read arbitrary files in the system.