Network Security, Patch/Configuration Management, Vulnerability Management

Cisco patches denial of service flaw affecting VoIP Phones

Cisco patched a High severity IPv4 Fragmentation vulnerability which could result in a denial of service along with three other Medium severity bugs.

The High security vulnerability (CVE-2018-0369) affected Cisco VoIP phones and was the result of improper handling of fragmented IPv4 packets containing options which could be exploited by an attacker if they sent a malicious IPv4 packet across an affected device.

“A vulnerability in the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms could allow an unauthenticated, remote attacker to trigger a reload of the npusimprocess, resulting in a denial of service (DoS) condition,” the advisory said.

This vulnerability affects IP Phone 6800, 7800 and 8800 series devices that run a Multiplatform Firmware released prior to Release 11.2(1).

The medium severity vulnerabilities include a FireSIGHT system software file policy bypass vulnerability, a FireSIGHT system software URL-based access control policy bypass vulnerability, and a web security appliance cross-site scripting vulnerability.

There are no workarounds to address any of the vulnerabilities and patches addressing the flaws were released on Wednesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.