Aon’s Cyber Solutions recently discovered multiple vulnerabilities affecting Cisco’s SPA500 Series IP phone firmware 7.6.2SR5 and earlier, allowing attackers with physical access to obtain a root shell on the device due to command injection and buffer overflow issues. Both issues have been assigned CVE-2019-1923 and were discovered by Dustin Cobb.
Cisco has chosen to not release patches for these vulnerabilities at this time, and instead recommends enabling a local password to prevent unauthorized access to the vulnerable components. Aon would like to thank Cisco PSIRT for working with us as part of our coordinated disclosure process to make users aware of these issues.
04/19/19 – Initial disclosure to Cisco, case opened
04/29/19 – Issues confirmed
06/11/19 – Disclosure date of 7/17 confirmed
07/17/19 – Aon / Cisco public disclosure
Command injection and buffer overflow vulnerabilities were discovered in the function used from the phone’s onscreen configuration system to set up the wallpaper. These vulnerabilities occur because of calls to the dangerous functions sprintf() and system() with user-controllable input from a USB device plugged into the system. By default, the vulnerable configuration options are accessible without a password.
Author: Dustin Cobb