Vulnslist

find the latest Cisco vulnerabilities

Cisco IP Phones Web Application Buffer Overflow Vulnerability

cisco-sa-20160609-ipp · Critical · Published · Updated

A vulnerability in the web application for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software fails to check the bounds of input data. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160609-ipp

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

However, if web access is not required, disabling it is considered a mitigation for this vulnerability. If web access is disabled, the phone is not vulnerable. For additional information, see the Web Access Disable chapter of the Phone Hardening https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_0_1/secugd/CUCM_BK_C1A78C1D_00_cucm-security-guide-1101/phone_hardening.pdf guide.

Note: Web access is disabled by default on Cisco IP phones.

CVEsCVE-2016-1421
Cisco Bug IDsCSCuz03034, CSCvs78281
CVSS ScoreBase 9.8
Base 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco IP phone, Cisco IP Phone 8800 Series Software

Related Products

Product CVE Evidence