FYI.... if you didn't see it<div><br></div><div>Scott<div class="gmail_quote"><br>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified IP<br>
Phones 7900 Series<br>
<br>
Advisory ID: cisco-sa-20110601-phone<br>
<br>
Revision 1.0<br>
<br>
For Public Release 2011 June 1 1600 UTC (GMT)<br>
<br>
+----------------------------------------------------------------<br>
<br>
Summary<br>
=======<br>
<br>
Cisco Unified IP Phones 7900 Series devices, also known as TNP<br>
phones, are affected by three vulnerabilities that could allow an<br>
attacker to elevate privileges, change phone configurations, disclose<br>
sensitive information, or load unsigned software. These three<br>
vulnerabilities are classified as two privilege escalation<br>
vulnerabilities and one signature bypass vulnerability.<br>
<br>
Cisco has released free software updates that address these<br>
vulnerabilities. There are no workarounds available to mitigate these<br>
vulnerabilities.<br>
<br>
This advisory is posted at:<br>
<a href="http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml</a>.<br>
<br>
Affected Products<br>
=================<br>
<br>
Only Cisco Unified IP Phones 7900 Series devices, also known as TNP<br>
phones, are affected.<br>
<br>
<br>
<br>
Vulnerable Products<br>
+------------------<br>
<br>
The following Cisco Unified IP Phone devices are affected:<br>
<br>
* Cisco Unified IP Phone 7975G<br>
* Cisco Unified IP Phone 7971G-GE<br>
* Cisco Unified IP Phone 7970G<br>
* Cisco Unified IP Phone 7965G<br>
* Cisco Unified IP Phone 7962G<br>
* Cisco Unified IP Phone 7961G<br>
* Cisco Unified IP Phone 7961G-GE<br>
* Cisco Unified IP Phone 7945G<br>
* Cisco Unified IP Phone 7942G<br>
* Cisco Unified IP Phone 7941G<br>
* Cisco Unified IP Phone 7941G-GE<br>
* Cisco Unified IP Phone 7931G<br>
* Cisco Unified IP Phone 7911G<br>
* Cisco Unified IP Phone 7906<br>
<br>
The following models have reached end-of-life (EOL) status (for<br>
hardware only):<br>
<br>
* Cisco Unified IP Phone 7971G-GE<br>
* Cisco Unified IP Phone 7970G<br>
* Cisco Unified IP Phone 7961G<br>
* Cisco Unified IP Phone 7961G-GE<br>
* Cisco Unified IP Phone 7941G<br>
* Cisco Unified IP Phone 7941G-GE<br>
* Cisco Unified IP Phone 7906<br>
<br>
Refer to the following link to determine what product upgrade and<br>
substitution options are available:<br>
<br>
<a href="http://www.cisco.com/en/US/products/hw/phones/ps379/prod_eol_notices_list.html" target="_blank">http://www.cisco.com/en/US/products/hw/phones/ps379/prod_eol_notices_list.html</a><br>
<br>
<br>
<br>
Products Confirmed Not Vulnerable<br>
+--------------------------------<br>
<br>
No other Cisco products are currently known to be affected by these<br>
vulnerabilities.<br>
<br>
<br>
Details<br>
=======<br>
<br>
Cisco Unified IP Phones 7900 Series devices are affected by two<br>
privilege escalation vulnerabilities and a signature bypass<br>
vulnerability. The following sections provide the details of each<br>
vulnerability addressed in this security advisory.<br>
<br>
Privilege Escalation Vulnerabilities<br>
+------------------------------------<br>
Cisco Unified IP Phones 7900 Series devices are affected by two<br>
privilege escalation vulnerabilities that could allow an<br>
authenticated attacker to make unauthorized phone configuration<br>
changes or obtain potentially sensitive information.<br>
<br>
These vulnerabilities are documented in Cisco bug IDs CSCtf07426<br>
and CSCtn65815 and have been assigned Common Vulnerabilities and<br>
Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603<br>
respectively.<br>
<br>
Signature Verification Bypass Vulnerability<br>
+------------------------------------------<br>
Cisco Unified IP Phones 7900 Series devices are affected by a<br>
signature verification bypass vulnerability that could allow an<br>
authenticated attacker to load a software image without verification<br>
of its signature.<br>
<br>
This vulnerability is documented in Cisco bug ID CSCtn65962<br>
and has been assigned CVE identifier CVE-2011-1637.<br>
<br>
Vulnerability Scoring Details<br>
+----------------------------<br>
Cisco has provided scores for the vulnerabilities in this advisory<br>
based on the Common Vulnerability Scoring System (CVSS). The CVSS<br>
scoring in this Security Advisory is done in accordance with CVSS<br>
version 2.0.<br>
<br>
CVSS is a standards-based scoring method that conveys vulnerability<br>
severity and helps determine urgency and priority of response.<br>
<br>
Cisco has provided a base and temporal score. Customers can then<br>
compute environmental scores to assist in determining the impact of<br>
the vulnerability in individual networks.<br>
<br>
Cisco has provided an FAQ to answer additional questions regarding<br>
CVSS at:<br>
<br>
<a href="http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html" target="_blank">http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html</a><br>
<br>
Cisco has also provided a CVSS calculator to help compute the<br>
environmental impact for individual networks at:<br>
<br>
<a href="http://intellishield.cisco.com/security/alertmanager/cvss" target="_blank">http://intellishield.cisco.com/security/alertmanager/cvss</a><br>
<br>
* CSCtf07426 - Privilege Escalation with "su" utility<br>
<br>
CVSS Base Score - 6.6<br>
Access Vector - Local<br>
Access Complexity - Medium<br>
Authentication - Single<br>
Confidentiality Impact - Complete<br>
Integrity Impact - Complete<br>
Availability Impact - Complete<br>
<br>
CVSS Temporal Score - 5.5<br>
Exploitability - Functional<br>
Remediation Level - Official-Fix<br>
Report Confidence - Confirmed<br>
<br>
<br>
* CSCtn65815 - Privilege Escalation in IP Phones<br>
<br>
CVSS Base Score - 6.6<br>
Access Vector - Local<br>
Access Complexity - Medium<br>
Authentication - Single<br>
Confidentiality Impact - Complete<br>
Integrity Impact - Complete<br>
Availability Impact - Complete<br>
<br>
CVSS Temporal Score - 5.5<br>
Exploitability - Functional<br>
Remediation Level - Official-Fix<br>
Report Confidence - Confirmed<br>
<br>
<br>
* CSCtn65962 - Phones Permits the Installation of Unsigned Code<br>
<br>
CVSS Base Score - 1.5<br>
Access Vector - Local<br>
Access Complexity - Medium<br>
Authentication - Single<br>
Confidentiality Impact - Partial<br>
Integrity Impact - None<br>
Availability Impact - None<br>
<br>
CVSS Temporal Score - 1.2<br>
Exploitability - Functional<br>
Remediation Level - Official-Fix<br>
Report Confidence - Confirmed<br>
<br>
Impact<br>
======<br>
<br>
Successful exploitation of the two privilege escalation<br>
vulnerabilities could allow an authenticated attacker to change phone<br>
configuration and obtain system information.<br>
<br>
Successful exploitation of the signature verification bypass<br>
vulnerability that could allow an authenticated attacker to load and<br>
execute a software image without verification of its signature.<br>
<br>
<br>
Software Versions and Fixes<br>
===========================<br>
<br>
When considering software upgrades, also consult:<br>
<a href="http://www.cisco.com/go/psirt" target="_blank">http://www.cisco.com/go/psirt</a> and any subsequent advisories to<br>
determine exposure and a complete upgrade solution.<br>
<br>
In all cases, customers should exercise caution to be certain the<br>
devices to be upgraded contain sufficient memory and that current<br>
hardware and software configurations will continue to be supported<br>
properly by the new release. If the information is not clear, contact<br>
the Cisco Technical Assistance Center (TAC) or your contracted<br>
maintenance provider for assistance.<br>
<br>
+---------------------------------------+<br>
| | First |<br>
| Vulnerability | Fixed |<br>
| | Release |<br>
|----------------------------+----------|<br>
| CSCtf07426 - Privilege | |<br>
| Escalation with "su" | 9.0.3 |<br>
| utility | |<br>
|----------------------------+----------|<br>
| CSCtn65815 - Privilege | 9.2.1 |<br>
| Escalation in IP Phones | |<br>
|----------------------------+----------|<br>
| CSCtn65962 - Phones | |<br>
| Permits the Installation | 9.2.1 |<br>
| of Unsigned Code | |<br>
+---------------------------------------+<br>
<br>
<br>
<br>
Workarounds<br>
===========<br>
<br>
There are no workarounds available to mitigate any of these<br>
vulnerabilities. Note: All of these vulnerabilities require the<br>
attacker to be authenticated.<br>
<br>
<br>
Obtaining Fixed Software<br>
========================<br>
<br>
Cisco has released free software updates that address these<br>
vulnerabilities. Prior to deploying software, customers should<br>
consult their maintenance provider or check the software for feature<br>
set compatibility and known issues specific to their environment.<br>
<br>
Customers may only install and expect support for the feature sets<br>
they have purchased. By installing, downloading, accessing or<br>
otherwise using such software upgrades, customers agree to be bound<br>
by the terms of Cisco's software license terms found at:<br>
<a href="http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html" target="_blank">http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html</a><br>
or as otherwise set forth at Cisco.com Downloads at:<br>
<a href="http://www.cisco.com/public/sw-center/sw-usingswc.shtml" target="_blank">http://www.cisco.com/public/sw-center/sw-usingswc.shtml</a><br>
<br>
Do not contact <a href="mailto:psirt@cisco.com">psirt@cisco.com</a> or <a href="mailto:security-alert@cisco.com">security-alert@cisco.com</a> for<br>
software upgrades.<br>
<br>
<br>
<br>
Customers with Service Contracts<br>
+-------------------------------<br>
<br>
Customers with contracts should obtain upgraded software through<br>
their regular update channels. For most customers, this means that<br>
upgrades should be obtained through the Software Center on Cisco's<br>
worldwide website at <a href="http://www.cisco.com" target="_blank">http://www.cisco.com</a><br>
<br>
<br>
<br>
Customers using Third Party Support Organizations<br>
+------------------------------------------------<br>
<br>
Customers whose Cisco products are provided or maintained through<br>
prior or existing agreements with third-party support organizations,<br>
such as Cisco Partners, authorized resellers, or service providers<br>
should contact that support organization for guidance and assistance<br>
with the appropriate course of action in regards to this advisory.<br>
<br>
The effectiveness of any workaround or fix is dependent on specific<br>
customer situations, such as product mix, network topology, traffic<br>
behavior, and organizational mission. Due to the variety of affected<br>
products and releases, customers should consult with their service<br>
provider or support organization to ensure any applied workaround or<br>
fix is the most appropriate for use in the intended network before it<br>
is deployed.<br>
<br>
<br>
Customers without Service Contracts<br>
+----------------------------------<br>
<br>
Customers who purchase direct from Cisco but do not hold a Cisco<br>
service contract, and customers who purchase through third-party<br>
vendors but are unsuccessful in obtaining fixed software through<br>
their point of sale should acquire upgrades by contacting the Cisco<br>
Technical Assistance Center (TAC). TAC contacts are as follows.<br>
<br>
* <a href="tel:%2B1%20800%20553%202447" value="+18005532447">+1 800 553 2447</a> (toll free from within North America)<br>
* <a href="tel:%2B1%20408%20526%207209" value="+14085267209">+1 408 526 7209</a> (toll call from anywhere in the world)<br>
* e-mail: <a href="mailto:tac@cisco.com">tac@cisco.com</a><br>
<br>
Customers should have their product serial number available and be<br>
prepared to give the URL of this notice as evidence of entitlement to<br>
a free upgrade. Free upgrades for non-contract customers must be<br>
requested through the TAC.<br>
<br>
Refer to:<br>
<a href="http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html" target="_blank">http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html</a><br>
for additional TAC contact information, including localized telephone<br>
numbers, and instructions and e-mail addresses for use in various languages.<br>
<br>
<br>
Exploitation and Public Announcements<br>
=====================================<br>
<br>
The Cisco PSIRT is not aware of any public announcements or malicious<br>
use of the vulnerability described in this advisory.<br>
<br>
These vulnerabilities were discovered and reported to Cisco by Matt<br>
Duggan of Qualcomm.<br>
<br>
<br>
Status of this Notice: FINAL<br>
============================<br>
<br>
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY<br>
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF<br>
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE<br>
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS<br>
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS<br>
DOCUMENT AT ANY TIME.<br>
<br>
A stand-alone copy or Paraphrase of the text of this document that<br>
omits the distribution URL in the following section is an<br>
uncontrolled copy, and may lack important information or contain<br>
factual errors.<br>
<br>
<br>
Distribution<br>
============<br>
<br>
This advisory is posted on Cisco's worldwide website at:<br>
<br>
<a href="http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml</a><br>
<br>
In addition to worldwide web posting, a text version of this notice<br>
is clear-signed with the Cisco PSIRT PGP key and is posted to the<br>
following e-mail and Usenet news recipients.<br>
<br>
* <a href="mailto:cust-security-announce@cisco.com">cust-security-announce@cisco.com</a><br>
* <a href="mailto:first-bulletins@lists.first.org">first-bulletins@lists.first.org</a><br>
* <a href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a><br>
* <a href="mailto:vulnwatch@vulnwatch.org">vulnwatch@vulnwatch.org</a><br>
* <a href="mailto:cisco@spot.colorado.edu">cisco@spot.colorado.edu</a><br>
* <a href="mailto:cisco-nsp@puck.nether.net">cisco-nsp@puck.nether.net</a><br>
* <a href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</a><br>
* <a href="mailto:comp.dcom.sys.cisco@newsgate.cisco.com">comp.dcom.sys.cisco@newsgate.cisco.com</a><br>
<br>
Future updates of this advisory, if any, will be placed on Cisco's<br>
worldwide website, but may or may not be actively announced on<br>
mailing lists or newsgroups. Users concerned about this problem are<br>
encouraged to check the above URL for any updates.<br>
<br>
<br>
Revision History<br>
================<br>
<br>
+---------------------------------------+<br>
| Revision | | Initial |<br>
| 1.0 | 2011-June-01 | public |<br>
| | | release. |<br>
+---------------------------------------+<br>
<br>
<br>
<br>
Cisco Security Procedures<br>
=========================<br>
<br>
Complete information on reporting security vulnerabilities in Cisco<br>
products, obtaining assistance with security incidents, and<br>
registering to receive security information from Cisco, is available<br>
on Cisco's worldwide website at:<br>
<a href="http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html" target="_blank">http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html</a><br>
This includes instructions for press inquiries regarding Cisco security notices.<br>
All Cisco security advisories are available at:<br>
<a href="http://www.cisco.com/go/psirt" target="_blank">http://www.cisco.com/go/psirt</a><br>
<br>
+--------------------------------------------------------------------<br>
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.<br>
+--------------------------------------------------------------------<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.5 (SunOS)<br>
<br>
iFcDBQFN5k0FQXnnBKKRMNARCCF9AP0ar3AfiP9uA0nW3t6SFYx6XIdGytUG2S/K<br>
1SMd+3y7wgEAhzzCUzc85QKeV/jicP5lXboEspr5eU7MftNMqM1oUNw=<br>
=ZBzs<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
cisco-nsp mailing list <a href="mailto:cisco-nsp@puck.nether.net">cisco-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-nsp" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-nsp</a><br>
archive at <a href="http://puck.nether.net/pipermail/cisco-nsp/" target="_blank">http://puck.nether.net/pipermail/cisco-nsp/</a><br>
</div><br></div>