Cisco on Wednesday released updates for two vulnerabilities in the web-based management interface of four series models of its Cisco IP Phones.
The more serious bug, a command injection vulnerability – CVE-2023-20078 – was rated critical with a CVSS score of 9.8 and affected Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform phones. Cisco said the vulnerability could let an unauthenticated, remote attacker inject arbitrary commands that are executed with root privileges, in essence a remote code execution (RCE) attack.
CVE-2023-20078 was caused by an insufficient validation of user-supplied input, a web UI vulnerability. Cisco said an attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could let an attacker execute arbitrary commands on the underlying operating system of the affected device.
The other vulnerability – CVE-2023-20079 – was rated as high-severity with a CVSS score of 7.5. It affected Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones, as well as Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series Phones.
Cisco said the vulnerability could let an unauthenticated, remote attacker to cause and affected device to reload, resulting in a denial-of-service (DoS) attack. The vulnerability was also caused by a UI vulnerability. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.
Cisco released updates to address the two vulnerabilities, there are no workarounds. The vendor said its customers with service contracts that entitle them to regular software updates should obtain security fixes through the usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.