A boffin from British defence contractor BAE has found three critical flaws in Cisco's Small Business SPA300 and SPA500 IP phones – and another couple of nasties – none of which will be fixed or mitigated.
In an advisory published Wednesday, Cisco explained the three most serious flaws – all rated CVSS 9.8 out of 10 – affect the web-based management interface of the devices and could allow an unauthenticated remote attacker gain root privileges to hijack and meddle with the equipment.
The three worst vulnerabilities – CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454 – stem from the fact that the software doesn't handle incoming HTTP requests safely enough. An attacker could therefore send a crafted HTTP request to one of the phones, causing a buffer overflow and making it possible to execute arbitrary commands – with the aforementioned root privileges.
The other two flaws – CVE-2024-20451 and CVE-2024-20453 – are less serious and earn only a CVSS score of 7.8 thanks to their limited scope. Cisco reports these are also related to issues in HTTP checking mechanisms, but don't allow code execution. They do, however, offer a chance to take down the phones with a denial of service attack.
"Cisco has not released and will not release software updates to address the vulnerabilities that are described in this advisory," Switchzilla wrote in its alert. "Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones have entered the end-of-life process."
- If you're using older, vulnerable Cisco small biz routers, throw them out
- Dump these insecure phone adapters because we're not fixing them, says Cisco
- Thousands of Juniper Networks devices vulnerable to critical RCE bug
- Windows CE reaches end of life, if not end of sales
Cisco formally stopped shipping fixes for SPA300 handsets in 2020 and ended all support for the devices in February 2024. The last date on which owners of the SPA500 can renew service contracts is August 27, 2024, with obsolescence scheduled for May 31, 2025.
After that date, Cisco won't help – a stance it's also taken with phone adapters and routers it deems are so ancient customers need to acquire replacements.
Products like desktop phones, however, are often assumed to just keep on working forever – because they're just phones – so customers don't think of replacing them the way they do other tech. Plenty of orgs are going to have to either buy new kit or hope attackers don't figure out how to craft and dispatch a packet that crashes their handsets. The good news is Cisco advises it's not aware of any exploits in the wild. Yet.
The vulnerabilities were reportedly found by someone Cisco identified as "Aidan of BAE Systems Digital Intelligence," without providing a surname. We’ve found at least two people with that name in the infosec division of the British multinational. BAE had no comment at the time of publication. ®