Cisco Releases Critical Security Updates for Cisco IP Phone
Cisco addresses one Critical command injection vulnerability and one High denial-of-service vulnerability for Cisco IP Phone
Summary
Cisco addresses one Critical command injection vulnerability and one High denial-of-service vulnerability for Cisco IP Phone
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
- Unified IP Phone 7900 Series (End-of-life)
- Unified IP Conference Phone 8831 (End-of-life)
- Unified IP Conference Phone 8831 with Multiplatform Firmware (End-of-life)
Threat details
End-of-life products will not receive security updates
Cisco Unified IP Phone 7900 Series and Cisco Unified IP Conference Phone 8831 have entered the end-of-life process. For these products, Cisco has not released and will not release software updates to address the vulnerabilities that are described in CVE-2023-20079.
Introduction
Cisco has released a security advisory that addresses one Critical vulnerability and one High impact vulnerability. The Critical vulnerability could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The High vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service condition.
Four Medium advisories also released
In addition to the Critical security advisory, Cisco has released four Medium advisories impacting Webex App, Finesse, Unified Intelligence Center, and Prime Infrastructure. The vulnerabilities concern cross-site scripting, denial-of-service, and server-side request forgery.
Remediation advice
Affected organisations are encouraged to review the following Cisco Security Advisories for more information.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Critical Security Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP |
| Patch |
Cisco Webex App for Web Cross-Site Scripting Vulnerability | cisco-sa-webex-xss-Yn8HHsMJ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Yn8HHsMJ |
| Patch |
Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability | cisco-sa-finesse-proxy-dos-vY5dQhrV https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-proxy-dos-vY5dQhrV |
| Patch |
Cisco Unified Intelligence Center Vulnerabilities | cisco-sa-cuic-infodisc-ssrf-84ZBmwVk https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-infodisc-ssrf-84ZBmwVk |
| Patch |
Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability | cisco-sa-cisco-pi-epnm-xss-mZShH2J https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-epnm-xss-mZShH2J |
CVE Vulnerabilities
Last edited: 2 March 2023 2:36 pm