Cisco issues advisory to plug security hole in VoIP phones

Cisco (Nasdaq: CSCO) issued a security advisory on Wednesday to address a vulnerability in a VoIP phone model identified last year by researchers at Columbia University.

Cisco said the vulnerability in versions of its Cisco Unified IP Phone 7900 Series could enable attackers to gain remote access to the phone.

"This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context," Cisco explained in its Jan. 9 security advisory. The company also issued an accompanying mitigation bulletin.

The company said it had developed a fix for the vulnerability to reduce the "attack surfaces of affected devices." In a statement emailed to FierceEnterpriseCommunications, Cisco said it was not aware of the vulnerability being used against any customers.

Last month, Ang Cui, a graduate student at Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, demonstrated the attack on the Cisco Unified IP Phone 7900 series using a technique he developed with fellow Columbia researcher Salvatore Stolfo to attack printers.

Once the phone was compromised, an attacker could eavesdrop on the entire network of phones in the enterprise, according to Cui.

In response to the initial demonstration, Cisco said it had developed a software patch and workarounds to plug the security hole.

Cui and Stolfo issued a Jan. 4 statement saying they had found "many vulnerabilities" in the firmware of Cisco VoIP phones as well as other embedded systems connected to the Internet.

The researchers said Cisco's patch to repair the vulnerabilities is "ineffective" because it "doesn't solve the fundamental problems we've pointed out to Cisco."

Acknowledging the failure to plug the hole the first time around, Cisco told Network World early this week that it deployed its "A-team" to develop a patch that works.

Perhaps not unexpectedly, the two researchers said they had developed a product, called Software Symbiotes, which is designed to safeguard embedded systems from hackers. "We don't know of any solution to solve the systemic problem with Cisco's IP Phone firmware except for the Symbiote technology or rewriting the firmware," they concluded.

For more:
- check out Cisco's security advisory
- read the mitigation bulletin
- read the Network World article

Related articles:
Columbia researcher hacks into, eavesdrops on Cisco VoIP phone
Cisco offers software-only licensing for its unified communications manager