VOZ logo

Detalles sobre la seguridad de los teléfonos IP de Cisco

CiscoCisco ha hablado sobre la importancia de los fallos de seguridad de sus terminales, concretamente del Cisco 7940.

The Cisco Unified IP Conference Station and IP Phone devices contain the following vulnerabilities:

1. It may be possible to access the Unified IP Conference Station administrative HTTP interface without authentication. This vulnerability can be exploited remotely with no authentication and no user interaction. If exploited, the attacker may alter the device configuration or create a Denial of Service. In a default configuration the attack vector is through TCP port 80. The TCP port used by the HTTP interface is configurable and should be verified before any traffic filtering is added to the network. This vulnerability is not designated by a CVE ID.

2. Vulnerable Cisco Unified IP Phones contain a default username and password that may be accessed via SSH. This vulnerability can be exploited remotely with no user interaction. If exploited, the attacker may be able to modify the device configuration or perform additional attacks. The attack vector is through TCP port 22. This vulnerability is not designated by a CVE ID.

3. Affected Cisco Unified IP Phones contain privilege escalation vulnerabilities that allow local, authenticated users to obtain administrative access to the phone. This vulnerability may be exploited remotely with authentication and no user interaction. If exploited, the attacker may be able to modify the device configuration or cause a Denial of Service. The attack vector is through TCP port 22. This vulnerability is not designated by a CVE ID.

The privilege escalation vulnerabilities involve defects in the command line interface of the affected devices. Upgrading vulnerable devices to fixed software is the only effective means by which to mitigate these particular vulnerabilities; therefore, no identification or mitigation techniques for these vulnerabilities will be detailed in this document.

Parches, avisos y actualizaciones serán colocadas aquí:

http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml

Noticia original: http://blogs.zdnet.com/ip-telephony/?p=1453

Por cierto, este teléfono me recuerda un poco al Linksys 941. 🙂

Anterior artículoEl canal CAPI sigue vivo! CAPI2.0 v.1.0.0 out!
Siguiente artículo 402-400Hablando desde Firefox