Aon’s Cyber Solutions recently discovered a vulnerability affecting Cisco’s SPA500 Series IP phone firmware 7.6.2SR5 and earlier, allowing attackers with physical access to obtain a root shell on the device through misuse of debug functionality. This issue has been assigned CVE-2019-15959 and was discovered by Dustin Cobb.
Timeline:
04/19/19 – Initial disclosure to Cisco, case opened
04/29/19 – Issues confirmed
10/03/19 – Disclosure date of 11/6 confirmed
11/06/19 – Aon / Cisco public disclosure
Vendor Advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script
Cisco has not released patches for the vulnerability at this time. Aon would like to thank Cisco PSIRT for working with us as part of our coordinated disclosure process to make users aware of the issue.
Details:
During firmware boot, a startup script attempts to call a debug script located on a USB device that is plugged into the unit. Based on comments in the script, this functionality was not intended to remain in the production release of the firmware. By creating a USB drive with exploit code in an appropriately named file, a root shell can be obtained by booting the phone with the malicious USB drive inserted.