Headline
Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input. Successful
Enterprise Security / Network Security
Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input.
Successful exploitation of the bug could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with the highest privileges on the underlying operating system.
“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” Cisco said in an alert published on March 1, 2023.
Also patched by the company is a high-severity denial-of-service (DoS) vulnerability affecting the same set of devices, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
CVE-2023-20079 (CVSS score: 7.5), also a result of insufficient validation of user-supplied input in the web-based management interface, could be abused by an adversary to cause a DoS condition.
While Cisco has released Cisco Multiplatform Firmware version 11.3.7SR1 to resolve CVE-2023-20078, the company said it does not plan to fix CVE-2023-20079, as both the Unified IP Conference Phone models have entered end-of-life (EoL).
The company said it’s not aware of any malicious exploitation attempts targeting the flaw. It also said the flaws were discovered during internal security testing.
The advisory comes as Aruba Networks, a subsidiary of Hewlett Packard Enterprise, released an update to ArubaOS to remediate multiple unauthenticated command injection and stack-based buffer overflow flaws (from CVE-2023-22747 through CVE-2023-22752, CVSS scores: 9.8) that could result in code execution.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.
Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.