Weaknesses in some models of Cisco Systems IP telephones could allow the devices to be restarted by a Web attack or even taken over by a malicious network client, the company says. A software fix is available.
A Web-based attacker using common denial-of-service programs could cause a Cisco IP phone to restart, ending any call in progress. Phones could also be restarted using invalid HTTP requests to a Web server running on certain IP phone configurations.
The vulnerability affects Cisco 7910, 7940, and 7960 IP phones, which are used with the vendor's Architecture for Voice, Vide and Integrated Data (AVVID) IP telephony phone system, based on CallManager software.
Cisco was the leading seller of IP phones last year according to Instat/MDR, and the company has an installed base of more than 500,000 IP phones and 6 million-plus VoIP system ports.
A software fix for affected IP phones can be obtained here.
Denial-of-service attacks based on well-known methods such as "jolt," "jolt2," "raped," "hping2," "bloop," "bubonic," "mutant," "trash" and "trash2." Could be used to shutdown an IP phone. Cisco says a software fix resolves this problem by allowing the IP phones to resist high rates of traffic directed the phones.
The Web vulnerability on Cisco phones stems from a built-in Web server on port 80 of the affected products, meant for administrators to access debuging and status information pages about the phone. By modifying an HTTP request to the phone, attackers could restart the devices via a Web connection.
Cisco IP phones running Session Initiation Protocol or Media Gateway Control Protocol software images are not susceptible to Web-based HTTP attacks, but could be affected by denial-of-service program attacks.
Cisco also warns that by physically accessing the phone and downloading software or reconfiguring the device, an attacker could set up an IP phone so that it could be taken over via a network connection. "A successful attacker could gain full control over the operation of the IP Phone and any call setup requests and responses made between the IP Phone and Cisco CallManagers or other VoIP gateways," according to a statement on Cisco's Web site.