Monday, 23 March 2015

Leak In Cisco IP Phones Allows Eavesdropping Possible

Networking giant Cisco warns of vulnerability in the SPA300 and SPA500 IP phones allowing attackers without credentials distance calls can eavesdrop or to gain access to the phone to call then himself. However, an update is not yet available.

Also could be used for a successful attack further attacks, said the advisory . The vulnerability is caused by authentication settings in the default configuration. An attacker would through a specially prepared XML request to send here to abuse a vulnerable device.

Cisco says that in order to exploit this vulnerability, an attacker allowing access to a trusted internal network behind a firewall should be to send the XML request. This requirement would reduce the possibility of a successful attack. Since there is no update available system get the advice to turn XML Execution authentication in the configuration settings.Furthermore, could protect a "solid firewall strategy" systems and can be considered to give only trusted IP addresses access.

No comments:

Post a Comment