Cisco patches critical Web UI RCE flaw in multiple IP phones

Cisco has addressed a critical security vulnerability found in the Web UI of multiple IP Phone models that unauthenticated and remote attackers can exploit in remote code execution (RCE) attacks.

The RCE flaw (CVE-2023-20078) allows attackers to inject arbitrary commands that will be executed with root privileges following successful exploitation.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device,” Cisco today.

The company also disclosed today a second high-severity vulnerability (CVE-2023-20079) that can be abused to trigger denial-of-service (DoS) conditions.

Both bugs are due to insufficient validation of user-supplied input and can be exploited using maliciously crafted requests sent to the targeted device’s web-based management interface.

The security vulnerabilities were discovered by Zack Sanchez of the Cisco Advanced Security Initiatives Group (ASIG) during internal security testing.

The list of affected devices includes Cisco IP Phone 6800, 7800, and 8800 series devices with Multiplatform Firmware (vulnerable to both RCE and DoS attacks), and the Unified IP Conference Phone 8831, Unified IP Conference Phone 8831 with Multiplatform Firmware, and Unified IP Phone 7900 Series (only vulnerable to DoS attacks).

The company’s Product Security Incident Response Team (PSIRT) added that it hadn’t seen evidence of attempts to exploit this security flaw in attacks.

Denial-of-service vulnerability remains unpatched

While Cisco released security updates to address the CVE-2023-20078 RCE vulnerability, the company said it would not release patches to fix the CVE-2023-20079 DoS flaw.

“Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process,” the company explained.

Cisco also announced in December that it (CVE-2022-20968) with public exploit code found in the Cisco Discovery Protocol (CDP) processing feature of Cisco IP Phones running 7800 and 8800 Series firmware.

While a security update for CVE-2022-20968 is not yet available, admins are advised to disable CDP on affected IP Phone devices supporting Link Layer Discovery Protocol (LLDP) to remove the attack vector.

In February 2020, Cisco patched five other RCE and DoS vulnerabilities in the Cisco Discovery Protocol, collectively known as and potentially affecting tens of millions of enterprise devices.