Vulnerabilities > CVE-2008-0529 - Buffer Errors vulnerability in Cisco products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the telnet server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G running SCCP firmware might allow remote authenticated users to execute arbitrary code via a crafted command. Patch requires login
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 27774 CVE(CAN) ID: CVE-2008-0530,CVE-2008-0526,CVE-2008-0527,CVE-2008-0528,CVE-2008-0529,CVE-2008-0531 Cisco Unified IP Phone是思科的统一IP电话解决方案。 * DNS响应解析溢出 运行SCCP和SIP固件的Cisco Unified IP Phone 7940、7940G、7960和7960G设备在处理DNS响应时存在缓冲区溢出漏洞,特制的DNS响应可以触发缓冲区溢出,在有漏洞的电话上执行任意指令。该漏洞记录为CVE-2008-0530和Cisco Bug ID CSCsj74818和CSCsk21863。 * 超大ICMP回显请求拒绝服务 运行SCCP固件的Cisco Unified IP Phone 7940、7940G、7960和7960G设备存在拒绝服务漏洞,远程攻击者可以通过发送超大的ICMP回显请求报文导致有漏洞的设备重启。该漏洞记录为CVE-2008-0526和Cisco Bug ID CSCsh71110。 * HTTP服务器拒绝服务 运行SCCP固件的Cisco Unified IP Phone 7935和7936设备中的内部HTTP服务器存在拒绝服务漏洞。如果向有漏洞电话的TCP 80端口发送了特制的HTTP请求,就会导致电话重启。内部HTTP服务器仅监听于TCP 80端口。该漏洞记录为CVE-2008-0527和Cisco Bug ID CSCsk20026。 * SIP MIME边界溢出 运行SIP固件的Cisco Unified IP Phone 7940、7940G、7960和7960G设备在处理多用途Internet邮件扩展(MIME)编码的数据时存在缓冲区溢出漏洞。如果向有漏洞的电话发送了特制的SIP消息的话,就可能触发缓冲区溢出,在电话上执行任意代码。该漏洞记录为CVE-2008-0528和Cisco Bug ID CSCsj74786。 * Telnet服务器溢出 运行SIP固件的Cisco Unified IP Phone 7940、7940G、7960和7960G设备的内部telnet服务器存在缓冲区溢出漏洞。telnet服务器默认禁用,可配置为允许特权或非特权用户级访问。如果对特权或非特权访问启用了telnet服务器,则还必须额外配置电话口令参数以允许telnet访问。如果在配置为允许非特权访问的电话上输入了特制命令的话,通过认证的非特权用户就可以触发缓冲区溢出,获得对电话的特权访问。该漏洞记录为CVE-2008-0529和Cisco Bug ID CSCsj78359。 * SIP代理响应溢出 运行SIP固件的Cisco Unified IP Phone 7940、7940G、7960和7960G设备在处理来自SIP代理的挑战/响应消息时存在堆溢出漏洞。如果攻击者控制了有漏洞电话所注册或试图注册的SIP代理的话,或者攻击者可扮演为中间人,就可以向电话发送恶意的挑战/响应消息并执行任意指令。该漏洞记录为CVE-2008-0531和Cisco Bug ID CSCsj74765。 Cisco Unified IP Phone 7971G Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7960G Cisco Unified IP Phone 7960 Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7940G Cisco Unified IP Phone 7940 Cisco Unified IP Phone 7936 Cisco Unified IP Phone 7935 Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906G 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 禁用不必要的内部电话Telnet和HTTP服务器可消除Telnet服务器溢出和HTTP服务器拒绝服务漏洞隐患。 * 在语音/数据网络边界作为tACL策略的一部分部署拒绝ICMP回显请求、TCP 22端口(SSH)、TCP 23端口(Telnet)、TCP 80端口(HTTP)、TCP/UDP 53端口(DNS)和TCP/UDP 5060端口(SIP)的过滤器,以保护在入口接入点进入网络的通讯。 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080213-phone)以及相应补丁: cisco-sa-20080213-phone:Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 链接:<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml</a> 补丁下载: <a href=http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 target=_blank>http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2</a> <a href=http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 target=_blank>http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2</a> |
| id | SSV:2913 |
| last seen | 2017-11-19 |
| modified | 2008-02-20 |
| published | 2008-02-20 |
| reporter | Root |
| title | Cisco Unified IP Phone SCCP及SIP协议多个远程安全漏洞 |
References
- http://secunia.com/advisories/28935
- http://www.cisco.com/en/US/products/products_security_advisory09186a0080949c7a.shtml
- http://www.securityfocus.com/bid/27774
- http://www.securitytracker.com/id?1019410
- http://www.vupen.com/english/advisories/2008/0543
- https://exchange.xforce.ibmcloud.com/vulnerabilities/40493