A high-severity vulnerability has been discovered in a widely-used Cisco phone adapter that could allow threat actors to execute arbitrary code on the target endpoints, the company has confirmed.
Users are advised to move to a different device, given that the vulnerable ones reached end-of-life and are no longer receiving upgrades and fixes.
Cisco said that its SPA112 2-Port Phone Adapter lacks proper authentication processes in its firmware upgrade function. As a result, victims could end up installing a malicious (opens in new tab) firmware update, and, “a successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.”
Local access only
The flaw is tracked as CVE-2023-20126, and has a severity score of 9.8 – critical.
The publication claims the adapters are “popular” among organizations looking to use analog phones on their VoIP networks without needing to upgrade. The silver lining in the flaw is that the adapters are not usually connected to the public internet, meaning threat actors would need to first access the local network in order to be able to exploit the flaw.
However, the vulnerability could be used to move laterally through the target network more easily, the publication adds, as security software usually doesn’t monitor tools such as this one.
Given that the SPA112 reached end-of-life status and isn’t receiving updates, Cisco said it wouldn’t be addressing the vulnerability with a fix. Instead, it has told its customers to replace it with the ATA 190 Series Analog Telephone Adapter, a device that will be supported until March 31, 2024.
Cisco said that there is no evidence the flaw is currently being abused in the wild, but now that the information is out there, incursions are bound to happen. Outdated software and hardware are one of the most common ways hackers access target networks.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba