Cisco patches multiple vulnerabilities in IP phones

Cisco patches multiple vulnerabilities in IP phones

Summary: Cisco on Wednesday delivered patches to plug multiple overflow and denial of service vulnerabilities.In an advisory Cisco said multiple IP phone devices running the Skinny Client Control Protocol (SCCP) firmware were impacted.

SHARE:

Cisco on Wednesday delivered patches to plug multiple overflow and denial of service vulnerabilities.

In an advisory Cisco said multiple IP phone devices running the Skinny Client Control Protocol (SCCP) firmware were impacted. The vulnerabilities range from arbitrary code executions on a phone to forced phone reboots.

Most of these advisories carry high ratings. As for the CVEs here's the list: CVE-2008-0530, CVE-2008-0526, CVE-2008-0527, CVE-2004-2486, CVE-2008-0528, CVE-2008-0529 and CVE-2008-0531. Among those CVE-2008-530 gets a perfect 10 score from Cisco. Here are the details:

Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SCCP and SIP firmware contain a buffer overflow vulnerability in the handling of DNS responses. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0).

Separately, Cisco patched its Unified Communications Manager, which was vulnerable to SQL injection attacks (CVE-2008-0026). In an advisory, Cisco gave these flaws lower base scores.

Topics: Security, Cisco, Mobility, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Re: Cisco patches multiple vulnerabilities in IP phones

    Precisely why I will never have VOIP. When was the last time a POTS telephone needed to be patched?

    Aside from the Nazis in Washington, DC listening in on my conversations...there are not a lot of issues with a land-line phone.
    IT_Guy_z