Cisco warns of critical RCE zero-days in end-of-life IP phones (August 13, 2024)

Ref# AL2024_27 | Date: Aug 13th 2024

Description

Cisco has issued a warning concerning multiple critical remote code execution (RCE) zero-day vulnerabilities in its end-of-life Small Business SPA 300 and SPA 500 series IP phones. These vulnerabilities present significant security risks as they allow unauthenticated, remote attackers to execute arbitrary commands on the affected devices with root privileges. Unfortunately, since these models are no longer supported, Cisco has not provided fixes or mitigation steps. Users are strongly advised to migrate to newer, supported IP phone models to safeguard their systems. 

Attack Details 

Cisco disclosed five vulnerabilities in total, with three rated as critical (CVSS v3.1 score: 9.8) and two categorized as high severity (CVSS v3.1 score: 7.5). Below are the details of the critical vulnerabilities: 

CVE-2024-20450, CVE-2024-20452, CVE-2024-20454: These critical vulnerabilities are due to buffer overflow issues in the web-based management interface of the affected IP phones. An attacker can exploit these flaws by sending a specially crafted HTTP request to the target device. A successful exploit would allow the attacker to overflow an internal buffer, leading to arbitrary command execution at the root privilege level. 

The high-severity vulnerabilities, CVE-2024-20451 and CVE-2024-20453, stem from inadequate checks on incoming HTTP packets. These flaws could enable attackers to send malicious packets, causing a denial of service (DoS) on the affected devices. Notably, all five vulnerabilities impact all software releases on the SPA 300 and SPA 500 series IP phones, regardless of their configuration. Each flaw can be exploited independently, which increases the potential risk. 

Remediation 

Given the end-of-life status of the SPA 300 and SPA 500 series IP phones, Cisco has not released security patches to address these vulnerabilities. Therefore, the best course of action for users is to transition to newer, supported IP phone models as soon as possible.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

 PDF Download:  Cisco warns of critical RCE zero-days in end-of-life IP phones

References