Cisco has released security updates to address a critical security vulnerability (CVE-2023-20078) found in the Web UI of multiple IP Phone models. Unauthenticated and remote attackers can exploit the vulnerability in remote code execution (RCE) attacks. According to Cisco, "A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device." The company also disclosed a second high-severity vulnerability (CVE-2023-20079) that can be abused to trigger denial-of-service (DoS) conditions.
The list of affected devices includes Cisco IP Phone 6800, 7800, and 8800 series devices with Multiplatform Firmware (vulnerable to both RCE and DoS attacks), and the Unified IP Conference Phone 8831, Unified IP Conference Phone 8831 with Multiplatform Firmware, and Unified IP Phone 7900 Series (only vulnerable to DoS attacks). Cisco has not yet released a security update for a high-severity zero-day vulnerability (CVE-2022-20968) with public exploit code found in the Cisco Discovery Protocol (CDP) processing feature of Cisco IP Phones running 7800 and 8800 Series firmware. However, admins are advised to disable CDP on affected IP Phone devices supporting Link Layer Discovery Protocol (LLDP) to remove the attack vector.
"Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process," Cisco said. Zack Sanchez of the Cisco Advanced Security Initiatives Group (ASIG) discovered the security vulnerabilities during internal security testing. "A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device," Cisco said.