Cisco has gone ahead and disclosed a critical flaw in a range of its internet protocol (IP) phones. However, it had originally wanted to break from its own 90-day disclosure policy due to "extenuating circumstances" created by the.
Like Google, Cisco's policy is to publicly disclose security bugs found in its own and other vendors' products 90 days after the issue is reported.
In line with that policy, the company has just published details about a critical flaw affecting several of its mobile and desktop IP phones that allow a remote attacker, without credentials, to crash the phone or execute arbitrary code on the device with root privileges.
The flaw, tracked as CVE-2020-3161, is a simple error in failing to properly validate HTTP requests across the web. However, it could have been used by attackers to cripple the communication of its wireless IP phone users, who happen to be working in healthcare, where communications technology is already under strain due to the pandemic.
According to Cisco, its mobile IP device users are primarily "doctors, nurses, and technicians in healthcare; customer service and help desk staff in retail; and managerial and engineering staff within manufacturing, oil, and chemical industries".
Jacob Baines of security company Tenable reported the issue to the Cisco Product Security Incident Response Team (PSIRT) on January 23. PSIRT confirmed the bug in early February and requested coordinated disclosure on April 15 – a week ahead of the 90-day deadline on April 22.
But Baines notes in a disclosure timeline that on March 25, as governments in Europe and the US told citizens to stay at home to stop the spread of coronavirus COVID-19: "Cisco asks Tenable [to] postpone disclosure due to current extenuating circumstances."
Tenable agreed that the coronavirus crisis warranted deviating from the disclosure policy and asked Cisco if it would "hold back the patch".
Ultimately, Cisco decided to go ahead with the original disclosure timeline because it couldn't prevent the fix from going ahead on April 15, as detailed in Tenable's timeline:
03/26/2020 - Cisco states, "We discussed internally and it is most likely not going to be possible to stop the posting of the code on 4/15/2020 so we will go ahead as planned with the 4/15/2020 disclosure."
03/26/2020 - Tenable acknowledges. Tenable and Cisco exchange a flurry of emails on CVE assignment.
Cisco describes the bug as: "A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition."
Affected Cisco models include its IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831; and Wireless IP Phone 8821 and 8821-EX.
Baines said Cisco's software doesn't check the length of the parameter string in an HTTP request, which can lead to a stack-based buffer overflow in the device's memory. He's also posted a proof-of-concept exploit for the DoS attack on GitHub but excluded details about the remote code execution.
Cisco has also updated the advisory for a similar bug in its IP phones it disclosed in 2016, which originally didn't include the wireless IP phone and said an attack required authentication.
A mitigating factor is that web server functionality is disabled by default on Cisco IP phones. However, admins often want to enable it for remote configuration and monitoring. For example, the Cisco Quality Report Tool and service applications like CiscoWorks depend on web access to function properly.
Admins should check Cisco's advisory for the relevant firmware releases that address the issue for each model.
Cisco also disclosed a critical flaw in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data, along with seven other high-severity vulnerabilities in other networking products.