Several models of Cisco Systems’ IP phones have a high-severity vulnerability, the company has acknowledged, but a patch won’t be available until January.
Nor is there a workaround for the Cisco Discovery Protocol processing feature in the Cisco IP Phone 7800 and 8800 Series (excluding the Cisco Wireless IP Phone 8821).
What administrators can think about is disabling Cisco Discovery Protocol on affected phones. Devices will then use LLDP for discovery of configuration data such as voice VLAN, and power negotiation.
However, Cisco warns that “this is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise.”
“While this mitigation has been deployed and was proven successful in a test environment,” Cisco says, “customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.”
The vulnerability in the Cisco Discovery Protocol processing feature of the affected phones could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. The hole is due to insufficient input validation of received Cisco Discovery Protocol packets, the Cisco notice says. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.
This vulnerability looks pretty serious for Cisco phones, wrote SANS Institute Moses Frost in a commentatry. “CDP is a well-used protocol that does not require authentication and generally is gratuitously sent on the network. If a CDP packet can lead to a remote code execution, then patch these devices now. I cannot stress this enough, patch now. I still find very vulnerable network devices unpatched on a network, even when it is trivial to exploit, and the vulnerability has been known for over ten years.
“I cannot stress that a CDP packet that can cause RCE is terrible. Once someone is on one of these devices, they can quickly pivot to other parts of the network. If you cannot patch at this time, please make sure that these devices are on their network and that these networks are firewalled away from the data networks.”