For the second time in one week security advisories were issued for a line of Cisco IP phones.
On March 20 the company addressed vulnerabilities in its Series 7800 and 8800 phones, this follows a pair of advisories that were issued on March 14 covering its SPA514G IP phones. All the warnings are rated high.
The Series 8800 line has five individual vulnerabilities one of which is shared the Series 7800. These are:
- CVE-2019-1764 - Cross-site request forgery vulnerability that is due to insufficient CSRF protections for the web-based management interface of an affected device. To exploit the issue an attacker would have to convince the use to follow a crafted link resulting in being able to perform arbitrary actions on a targeted device via a web browser with the privileges of the user.
- CVE-2019-1716 (Series 8800 and Series 7800) – A remote code execution flaw that if exploited could lead to a DoS situation or the ability to run arbitrary code. This could be accomplished by connecting to an affected device using HTTP and supplying malicious user credentials.
- CVE-2019-1763 – Is an authorization bypass vulnerability that could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition by crafting and submitting to the user a specially crafted URL.
- CVE-2019-1766 – can also lead to a DoS situation by allowing a remote attacker to cause high disk utilization by writing a file that consumes most of the available disk space on the system, resulting in a DoS condition.
- CVE-2019-1765 – Is a path traversal vulnerability that if exploited could allow an attacker to write arbitrary files to the filesystem. The problem is due to insufficient input validation and file-level permissions.
Cisco has released patches for all the aforementioned vulnerabilities.