CISCO has released a new security advisory regarding a very serious flaw affecting the firmware of VoIP phones, IP Phone 7800 and 8800 series that could potentially be exploited by a remote attacker to cause malicious code execution or lead to a denial condition -of-service (DoS).

Majority of network equipment, CISCO said it is working on a patch to address the vulnerability, which is reported as CVE-2022-20968 (CVSS score: 8.1) and results from a validation case of insufficient Cisco packet injection Discovery Protocol (CDP) received.

If you periodically follow this site you will have discovered several times the importance of updating Windows, the same can even be true for VoIP phones which are technologically much more distant from today’s PCs and Smartphones.

CDP is a protocol owner independent from the network which is used to collect information related to nearby and directly connected devices such as hardware, software connected to each other via the device name (similar to what happens when you connect with smartphone via bluetooth, to understand).

What does CISCO say about this VoIP phone firmware flaw?

“An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to a particular device“, the company said in a notice published on December 8, 2022.

“A successfully released exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on a given device“.

CISCO VoIP Phones running firmware version 14.2 and earlier are affected; a patch is planned for January 2023; the company stating that there are no updates or alternative solutions to solve the problem, it will therefore be necessary to wait for the remote intervention of the parent company.

There is, however, a temporary workaround to work around this issue

However, in distributions that support both CDP and Link Layer Discovery Protocol (LLDP) for nearby device discovery, users can choose to disable CDP so that affected devices switch to LLDP to advertise their identity and capabilities to a server to directly connected peers in a local area network (LAN).

“This is not a trivial change and will require business diligence to evaluate any potential impact on devices, as well as the best approach to implement this change in your business“the company said in its statement.

The company also warned that it is aware of the possibility of a proof-of-concept (PoC) exploit and that the flaw has been publicly disclosed. There is no evidence that the vulnerability has been actively exploited by any attacker until now.

Qian Chen of the Legendsec Codesafe Team at Qi’anxin Group was credited with discovering and reporting the vulnerability.

This is a new problem, but Cisco VoIP phones are not new to some issues

However, it remains to be noted that VoIP telephones have not been immune to certain types of problems over the years.

In 2018, for example, there were mention somealthough later corrected:

Arbitrary script injection;

Easily decipherable code;

Various undocumented debug features;

Various obsolete components with already known vulnerabilities.

And it could go on for a long time. This is why these devices usually work more on internal networks (intranet) than external ones.

Unfortunately a 100% secure device doesn’t exist, not even CISCO devices which are certainly among the most secure in the world. A wise man once said: “the only safe computer is a computer that’s turned off, and I’m not sure of that either“.