Vulnslist

find the latest Cisco vulnerabilities

Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability

cisco-sa-voip-phones-rce-dos-rB6EeRXs · Critical · Published · Updated

A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

However, if web access is not required, disabling it is considered a mitigation for this vulnerability. If web access is disabled, the phone is not vulnerable. For additional information, see the Web Access Disable chapter of the Phone Hardening https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_0_1/secugd/CUCM_BK_C1A78C1D_00_cucm-security-guide-1101/phone_hardening.pdf guide.

Note: Web access is disabled by default on Cisco IP phones.

CVEsCVE-2020-3161
Cisco Bug IDsCSCvs78441, CSCuz03016, CSCvs78272
CVSS ScoreBase 9.8
Base 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco IP phone, Cisco IP Phone 8800 Series Software, Cisco IP Phone 7800 Series, Cisco IP Phone 7800 Series with Multiplatform Firmware, Cisco IP Phone 6800 Series with Multiplatform Firmware, Cisco IP Phone 8800 Series with Multiplatform Firmware

Related Products

Product CVE Evidence
Cisco RV Series Routers CVE-2020-3161 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2020-3161 Cisco OpenVuln
Cisco 8000 Series Routers CVE-2020-3161 Cisco OpenVuln
Cisco IP phone CVE-2020-3161 Cisco OpenVuln
Cisco IP Phone 8800 Series with Multiplatform Firmware CVE-2020-3161 Cisco OpenVuln
Cisco IP Phone 8800 Series Software CVE-2020-3161 Cisco OpenVuln
Cisco IP Phone 7800 Series with Multiplatform Firmware CVE-2020-3161 Cisco OpenVuln
Cisco IP Phone 7800 Series CVE-2020-3161 Cisco OpenVuln
Cisco IP Phone 6800 Series with Multiplatform Firmware CVE-2020-3161 Cisco OpenVuln