-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2023.1306.3
  Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities
                               13 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IP Phones
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-20079 CVE-2023-20078 

Original Bulletin: 
   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Comment: CVSS (Max):  9.8 CVE-2023-20078 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Cisco Systems
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Revision History:  March 13 2023: Removed Cisco Unified IP Phone 7900 Series as an affected product
                   March  8 2023: Vendor updated advisory
                   March  2 2023: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities

Priority:        Critical
Advisory ID:     cisco-sa-ip-phone-cmd-inj-KMFynVcP
First Published: 2023 March 1 16:00 GMT
Last Updated:    2023 March 10 21:13 GMT
Version 1.3:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCwc78400 CSCwd39132 CSCwd40474 CSCwd40489
CVE Names:       CVE-2023-20078 CVE-2023-20079

Summary

  o Multiple vulnerabilities in the web-based management interface of certain
    Cisco IP Phones could allow an unauthenticated, remote attacker to execute
    arbitrary code or cause a denial of service (DoS) condition.

    For more information about these vulnerabilities, see the Details section
    of this advisory.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Affected Products

  o Vulnerable Products

    CVE-2023-20078

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco Multiplatform Firmware:

       IP Phone 6800 Series with Multiplatform Firmware
       IP Phone 7800 Series with Multiplatform Firmware
       IP Phone 8800 Series with Multiplatform Firmware

    CVE-2023-20079

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco Multiplatform Firmware or Cisco Unified
    Software:

       IP Phone 6800 Series with Multiplatform Firmware
       IP Phone 7800 Series with Multiplatform Firmware
       IP Phone 8800 Series with Multiplatform Firmware
       Unified IP Conference Phone 8831
       Unified IP Conference Phone 8831 with Multiplatform Firmware

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

    Cisco has confirmed that these vulnerabilities do not affect the following
    Cisco products:

       ATA 191 Analog Telephone Adapter
       ATA 192 Multiplatform Analog Telephone Adapter
       IP Conference Phone 7832
       IP Conference Phone 8832
       IP DECT 110 Repeater with Multiplatform Firmware
       IP DECT 210 Multi-Cell Base Station
       IP DECT 6823 with Multiplatform Firmware
       IP Phone 7800 Series
       IP Phone 8845 and 8865
       Unified IP Phone 3905
       Video Phone 8875
       Webex Room Phone
       Webex Share
       Webex Wireless Phones 840 and 860
       Wireless IP Phone 8821

Details

  o The vulnerabilities are not dependent on one another. Exploitation of one
    of the vulnerabilities is not required to exploit the other vulnerability.
    In addition, a software release that is affected by one of the
    vulnerabilities may not be affected by the other vulnerability.

    Details about the vulnerabilities are as follows:

    CVE-2023-20078: Cisco IP Phone 6800, 7800, and 8800 Series Command
    Injection Vulnerability

    A vulnerability in the web-based management interface of Cisco IP Phone
    6800, 7800, and 8800 Series Multiplatform Phones could allow an
    unauthenticated, remote attacker to inject arbitrary commands that are
    executed with root privileges.

    This vulnerability is due to insufficient validation of user-supplied
    input. An attacker could exploit this vulnerability by sending a crafted
    request to the web-based management interface. A successful exploit could
    allow the attacker to execute arbitrary commands on the underlying
    operating system of an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    Bug ID(s): CSCwc78400
    CVE ID: CVE-2023-20078
    Security Impact Rating (SIR): Critical
    CVSS Base Score: 9.8
    CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    CVE-2023-20079: Cisco IP Phone 6800, 7800, and 8800 Series Denial of
    Service Vulnerability

    A vulnerability in the web-based management interface of Cisco IP Phone
    6800, 7800, and 8800 Series Multiplatform Phones, as well as Cisco Unified
    IP Conference Phone 8831, could allow an unauthenticated, remote attacker
    to cause an affected device to reload, resulting in a denial of service
    (DoS) condition.

    This vulnerability is due to insufficient validation of user-supplied
    input. An attacker could exploit this vulnerability by sending a crafted
    request to the web-based management interface. A successful exploit could
    allow the attacker to cause a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    Bug ID(s): CSCwd39132 CSCwd4074 CSCwd40489
    CVE ID: CVE-2023-20079
    Security Impact Rating (SIR): High
    CVSS Base Score: 7.5
    CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers with service contracts that entitle
    them to regular software updates should obtain security fixes through their
    usual update channels.

    Customers may only install and expect support for software versions and
    feature sets for which they have purchased a license. By installing,
    downloading, accessing, or otherwise using such software upgrades,
    customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    The Cisco Support and Downloads page on Cisco.com provides information
    about licensing and downloads. This page can also display customer device
    support coverage for customers who use the My Devices tool.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed software release 
    as indicated in the following table:

    IP Phone 6800, 7800, and 8800 Series

    Cisco Multiplatform     First Fixed Release for   First Fixed Release for
    Firmware Release        CVE-2023-20078            CVE-2023-20079
    Earlier than 11.3.7SR1  11.3.7SR1                 Migrate to a fixed
                                                      release.
    12.0.1                  Not affected.             Not affected.

    Unified IP Conference Phone 8831 and Unified IP Conference Phone 8831 with
    Multiplatform Firmware

    Cisco has not released and will not release software updates to address the
    vulnerabilities that are described in CVE-2023-20079. Cisco Unified IP
    Conference Phone 8831 has entered the end-of-life process. Customers are
    advised to refer to the end-of-life notices for these products:

    End-of-Sale and End-of-Life Announcement for the Cisco Select IP Conference
    Phone 8831 for on-premise and accessories

    End-of-Sale and End-of-Life Announcement for the Cisco IP Conference Phone
    8831 for Multiplatform Phones and Accessories

    When considering a device migration, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the new phone will be sufficient
    for their network needs and that current hardware and software
    configurations will continue to be supported properly by the new product.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    The Cisco Product Security Incident Response Team (PSIRT) validates only
    the affected and fixed release information that is documented in this
    advisory.

Exploitation and Public Announcements

  o The Cisco PSIRT is not aware of any public announcements or malicious use
    of the vulnerability that is described in this advisory.

Source

  o These vulnerabilities were found during internal security testing by Zack
    Sanchez of the Cisco Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

Related to This Advisory

  o 

URL

  o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Revision History

  o +---------+-------------------------+--------------+--------+-------------+
    | Version |       Description       |   Section    | Status |    Date     |
    +---------+-------------------------+--------------+--------+-------------+
    |         |                         | Title,       |        |             |
    |         | Removed Cisco Unified   | Vulnerable   |        |             |
    | 1.3     | IP Phone 7900 Series as | Products,    | Final  | 2023-MAR-10 |
    |         | an affected product.    | Details,     |        |             |
    |         |                         | Fixed        |        |             |
    |         |                         | Releases     |        |             |
    +---------+-------------------------+--------------+--------+-------------+
    |         | Updated URLs for bug    |              |        |             |
    | 1.2     | IDs CSCwd40494 and      | Details      | Final  | 2023-MAR-07 |
    |         | CSCwd40489.             |              |        |             |
    +---------+-------------------------+--------------+--------+-------------+
    |         | Added end-of-life link  |              |        |             |
    |         | for Cisco Unified IP    | Fixed        |        |             |
    | 1.1     | Phone 7900 Series and   | Releases     | Final  | 2023-MAR-03 |
    |         | updated the fixed       |              |        |             |
    |         | release table intro.    |              |        |             |
    +---------+-------------------------+--------------+--------+-------------+
    | 1.0     | Initial public release. | -            | Final  | 2023-MAR-01 |
    +---------+-------------------------+--------------+--------+-------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZA6RHskNZI30y1K9AQhmHg//fymbUSUGCZXmBbVV/8rUmIp8X++gFjbf
ctvOg2XUvrZNwxiPm6jZ0nLqvwGL2JZIHplj6lp8bsVF6l/fhbsUyHHgHc3eg0Si
N+7dBPOLSW5IUXXyHhND2Qhkcd28oBzZYtjtOIfL4JMla2hoxhHCIFRb+hC3hG4E
8bnoku92AUeOnVrn2m92qXrjKdfpCW+fen1qHRYx/USYXSj7c1WTw4WhW2j40LU2
5DhR8zs9qk95wSgOvoTo0d4yVOcrkDDsvkoniGIuk/nyuqUfcWeUppg1f9Np5bOX
D9jBVjyxNnJuiXMT4TviNyrHaW3vsRFjH9EYSUasqBuN9+vwFRD9O7I6TC2UyqeK
BcDn6dp1YLumeZ0xoAjwrExxtQDRsdVVra+foni5/HKcV8wujpeTRFI0+V8uCutj
QCJmfmraf5XcS8KwWyZ5xFZ0PYFd0LU7fdN1KLNr5HK+yzu1+7fVLVeQiLSDwNML
TQ1tALFvZjfoynJ1ZcanXYyuCytfg65u7hCM4PZxcVJoSZ7EzMHuO9QWZMuj8OiO
Laart8D0O1uLqiIABj0xPdSSzKJot5tfJ2fUxfMC438xkXH4aXs8rvN/4OKmH+aZ
wSHC6FTxjV0pkyPaLFmyF7azgSAOsCocG/sV7QnhOp2H+UQPW8At11wX2H+npvzS
BQvmCkDgfUQ=
=+YeB
-----END PGP SIGNATURE-----