[cisco-voip] Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

Ahmed Elnagar ahmed_elnagar at hotmail.com
Fri Jan 11 09:10:37 EST 2013


I think someone was asking about the below a couple of days

 

Regards,

Ahmed Elnagar | Unified Communication Team Leader | CCIE #24697, Voice

Description: Description: Description: MS Green

 

From: CiscoNotificationService at cisco.com
[mailto:CiscoNotificationService at cisco.com] 
Sent: Thursday, January 10, 2013 3:33 PM
To: Ahmed Elnagar
Subject: Cisco Notification Alert -UC-Products-01/10/2013 13:32 GMT

 


Cisco Notification Service Alert: 
____________________________________________________________________________
____


Security Advisories & Responses for All Voice and Unified Communications

	
	

Title

Cisco Unified IP Phone Local Kernel System Call Input Validation
Vulnerability
<http://www.cisco.com/en/US/products/csa/cisco-sa-20130109-uipphone.html> 


Description

Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an
arbitrary code execution vulnerability that could allow a local attacker to
execute code or modify arbitrary memory with elevated privileges. This
vulnerability is due to a failure to properly validate input passed to
kernel system calls from applications running in userspace. An attacker
could exploit this issue by gaining local access to the device using
physical access or authenticated access using SSH and executing an
attacker-controlled binary that is designed to exploit the issue. Such an
attack would originate from an unprivileged context. Ang Cui initially
reported the issue to the Cisco Product Security Incident Response Team
(PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco
bug ID CSCuc83860 (registered customers only) Release Note Enclosure.
Subsequently, Mr. Cui has spoken at several public conferences and has
performed public demonstrations of a device being compromised and used as a
listening device. Mitigations are available to help reduce the attack
surface of affected devices. See the &quo;Details&quo; section of this
security advisory and the accompanying Cisco Applied Mitigation Bulletin
(AMB) for additional information. This advisory is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s
a-20130109-uipphone


Date

09-JAN-2013

		
		


For more information; you can visit Cisco Security Advisories
<http://www.cisco.com/en/US/products/products_security_advisories_listing.ht
ml> & Responses index.
____________________________________________________________________________
____

To unsubscribe this notification click here
<http://www.cisco.com/cisco/support/notifications/addedit.html?notiId=186498
> 


Help us improve this facility. To give feedback click here
<http://www.cisco.com/cisco/support/notifications.html#feedback> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130111/bb4a8717/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2768 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130111/bb4a8717/attachment.jpg>


More information about the cisco-voip mailing list