Have You Patched Your Cisco IP Phones?Have You Patched Your Cisco IP Phones?

Security software provider Armis last week disclosed that it found five zero-day vulnerabilities in various implementations of the Layer 2 Cisco Discovery Protocol (CDP) used in a variety of endpoints, including IP phones.

Working with Armis to develop and test mitigations, Cisco has released patches for the vulnerabilities. While patches are available, "most of the vulnerable devices don't auto-update and need manual patching," resulting in many devices still being unprotected from these vulnerabilities, Ben Seri, VP of research at Armis, noted in a Wired article.

In its research, Armis found four remote code execution vulnerabilities and one denial-of-service vulnerability, residing in the processing of CDP packets. One of the common uses of CDP is the management of IP phones; it allows a switch to allocate one VLAN for voice and another for any PC that is daisy-chained to the phone, according to Armis.

Dubbed CDPwn, the vulnerabilities include:

With these vulnerabilities, remote hackers can overtake devices without user interaction to break network segmentation, gain access to additional devices by leveraging man-in-the-middle attacks, or exfiltrate data from IP phones and other network endpoints, Armis reported. The vulnerabilities impact firmware versions released in the last 10 years of a wide range of Cisco products, Armis said. Affected devices include NX-OS switches; NCS and IOS XR routers; Firepower firewalls; 800 IP cameras series; and the 7800 and 8800 series IP phones, according to Armis.

The joint mitigation effort followed Armis’s Aug. 29, 2019, alert to Cisco about the vulnerabilities, the security software firm reported. (Note that Seri will be discussing these vulnerabilities at BlackHat Asia, an Informa Tech event that will take place March 31 to April 3 in Singapore.)