Cisco has released a couple of security advisories covering vulnerabilities in their IP Phones and the Unified Communications Manager (UCM):
- Cisco IP Phones present multiple and serious overflows and DoS vulnerabilities. It is time to update your VoIP phones! This issues affect phones using Skinny (SCCP) or/and SIP. The vulnerabilities affect several phone components, and the first four are specially relevant:
- DNS (CVE-2008-0530): Malicious DNS responses may trigger a buffer overflow and execute arbitrary code on a vulnerable phone.
- SSH ( CVE-2004-2486, old CVE): Buffer overflow on the phone SSH server that may allow remote code execution with system privileges.
- SIP (CVE-2008-0528): Buffer overflow when handling MIME on SIP messages that may allow remote code execution.
- SIP (CVE-2008-0531): Heap overflow when handling SIP challenge and response messages with the SIP proxy that may allow remote code execution.
- ICMP (CVE-2008-0526): DoS due to large ICMP echo request packets (another ping of death!).
- HTTP (CVE-2008-0527): DoS due to specially crafted HTTP requests to the phone HTTP server.
- Telnet (CVE-2008-0529): Buffer overflow may allow privilege escalation.
- Cisco UCM is vulnerable to SQL injection (CVE-2008-0026): An authenticated user could access sensitive database information, such as usernames and password hashes, and call records, plus alter or delete call record
information from the database. Update to UCM versions 5.1(3a) or 6.1(1a). The flaw is in the key parameter of either
the admin or user interface page.
If you cannot immediately update your IP phones (please, do it asap!), disable the unused affected services on all your phones (what practically means disabling almost all ways of remotely managing the device: HTTP, SSH, Telnet...) or/and filter remote access to them using ACLs.