<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body style="font-family: serif; font-size: 13px;" text="#000000"
bgcolor="#FFFFFF">
<div id="QCMcontainer" style="font-family:serif;font-size:13px;">
<div class="moz-cite-prefix">A public security advisory posted:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.cisco.com/en/US/products/csa/cisco-sa-20130109-uipphone.html">http://www.cisco.com/en/US/products/csa/cisco-sa-20130109-uipphone.html</a><br>
<br>
HTH,<br>
<pre class="moz-signature" cols="72">Adam </pre>
<hr tabindex="0"><font style="font-size:x-small" face="Tahoma"><!--@A@--><b>From:</b>
Adam Frankel <a class="moz-txt-link-rfc2396E" href="mailto:afrankel@cisco.com"><afrankel@cisco.com></a><!--@A@--><br>
<!--@D@--><b>Sent:</b> Fri, Jan 04, 2013 2:24:57 PM<!--@D@--><br>
<!--@R@--><b>To:</b> Cisco VOIP
<a class="moz-txt-link-rfc2396E" href="mailto:cisco-voip@puck.nether.net"><cisco-voip@puck.nether.net></a><!--@R@--><br>
<!--@C@--><b>CC:</b>
<!--@C@--><br>
<!--@S@--><b>Subject:</b> Re: [cisco-voip] Cisco phones
vulnerable to hack / remote access?<!--@S@--><br>
</font><br>
</div>
<blockquote style="border: medium none ! important; padding-left:
0px ! important; padding-right: 0px ! important; margin-left:
0px ! important; margin-right: 0px ! important; font-size:
medium;" cite="mid:50E72C89.9050400@cisco.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div id="QCMcontainer" style="font-family:serif;font-size:13px;">PSIRT
will be including all updated information related to this on
the defect, CSCuc83860. <br>
<div class="moz-cite-prefix"><br>
<pre class="moz-signature" cols="72">Adam
</pre>
<hr tabindex="0"><font style="font-size:x-small"
face="Tahoma"><!--@A@--><b>From:</b> Ed Leatherman <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:ealeatherman@gmail.com"><ealeatherman@gmail.com></a><!--@A@--><br>
<!--@D@--><b>Sent:</b> Fri, Jan 04, 2013 2:11:24 PM<!--@D@--><br>
<!--@R@--><b>To:</b> Scott Voll <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:svoll.voip@gmail.com"><svoll.voip@gmail.com></a><!--@R@--><br>
<!--@C@--><b>CC:</b> Cisco VOIP <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:cisco-voip@puck.nether.net"><cisco-voip@puck.nether.net></a><!--@C@--><br>
<!--@S@--><b>Subject:</b> Re: [cisco-voip] Cisco phones
vulnerable to hack / remote access?<!--@S@--><br>
</font><br>
</div>
<blockquote style="border:none !important; padding-left:0px
!important; padding-right:0px !important; margin-left:0px
!important; margin-right:0px !important"
cite="mid:CAFC4dsp8XVUYSmiTG5FQAv=DtR7p5YYuyhROhy2S41Or8F+7-Q@mail.gmail.com"
type="cite">
<div dir="ltr">I completely missed the video at the top of
the IEEE article the first time i read it.. i think my
brain saw it as an advertisement and just ignored it.
<div><br>
</div>
<div style="">The researchers full presentation is here
also:</div>
<div style=""><a moz-do-not-send="true"
href="http://www.youtube.com/watch?v=f3zUOZcewtA&feature=youtu.be">http://www.youtube.com/watch?v=f3zUOZcewtA&feature=youtu.be</a><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote"> On Fri, Jan 4, 2013 at 10:02 AM,
Scott Voll <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:svoll.voip@gmail.com" target="_blank">svoll.voip@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Lelio sent this out a week or two ago.
<a moz-do-not-send="true"
href="http://m.spectrum.ieee.org/computing/embedded-systems/cisco-ip-phones-vulnerable"
target="_blank">http://m.spectrum.ieee.org/computing/embedded-systems/cisco-ip-phones-vulnerable</a>
Check out the video.
<div> <br>
</div>
<div>We are a closed facility, so the attacker would
have to either be inside, or take a phone off the
wall in a reception area AND have SSH access.</div>
<div><br>
</div>
<div>I talked to my SE and he said: </div>
<div><span
style="font-size:10.5pt;font-family:Calibri,sans-serif">Workaround
= Restrict SSH and CLI access to trusted users
only. Administrators may consider leveraging
802.1x device authentication to prevent
unauthorized devices or systems from accessing
the voice network.</span><br>
</div>
<div><span
style="font-size:10.5pt;font-family:Calibri,sans-serif"><br>
</span></div>
<div>
<p><span
style="font-size:10.5pt;font-family:Calibri,sans-serif">Ang
accomplished this by first gaining access to
the device via SSH and utilizing TFTP to pull
down a malicious binary that is designed to
exploit the insufficient validation issue of
the affected System Calls. He ran this from
the user context on the device which performed
the exploit. The caveats of this particular
issue are that an attacker would need to have
Authenticated Access either via SSH (Which
would need to be enabled, it is not enabled by
default), or local access via the Serial port.
The attacker would also need to be able to
point the device at an attacker-controlled
TFTP server to retrieve the payload.</span></p>
<p><span
style="font-size:10.5pt;font-family:Calibri,sans-serif">YMMV</span></p>
<span class="HOEnZb"><font color="#888888">
<p><span
style="font-size:10.5pt;font-family:Calibri,sans-serif">Scott</span></p>
<p><span
style="font-size:10.5pt;font-family:Calibri,sans-serif"> </span><span></span></p>
<span></span><span></span></font></span></div>
<div><span
style="font-size:10.5pt;font-family:Calibri,sans-serif"><br>
</span></div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div class="im"> On Fri, Jan 4, 2013 at 6:35 AM,
Robert Kulagowski <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rkulagow@gmail.com"
target="_blank">rkulagow@gmail.com</a>></span>
wrote:<br>
</div>
<div>
<div class="h5">
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Since no one
who knows anything for real is probably
going to say<br>
anything for now, are there any mitigating
factors that I can start<br>
thinking about once management sees the
following article?<br>
<br>
<a moz-do-not-send="true"
href="http://redtape.nbcnews.com/_news/2013/01/04/16328998-popular-office-phones-vulnerable-to-eavesdropping-hack-researchers-say?lite"
target="_blank">http://redtape.nbcnews.com/_news/2013/01/04/16328998-popular-office-phones-vulnerable-to-eavesdropping-hack-researchers-say?lite</a><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a moz-do-not-send="true"
href="mailto:cisco-voip@puck.nether.net"
target="_blank">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/cisco-voip"
target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a moz-do-not-send="true"
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/cisco-voip"
target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Ed Leatherman<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cisco-voip mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cisco-voip mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
<br>
</div>
</body>
</html>