-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0010

Title: Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability [1]

Version history:
11.01.2013 Initial publication

Summary
=======
Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges.

CVE-2012-5445
CVSS Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) [3]

Vulnerable systems
==================
The following Cisco Unified IP Phones 7900 Series devices are affected by the vulnerability documented in this advisory:

    Cisco Unified IP Phone 7906
    Cisco Unified IP Phone 7911G
    Cisco Unified IP Phone 7931G
    Cisco Unified IP Phone 7941G
    Cisco Unified IP Phone 7941G-GE
    Cisco Unified IP Phone 7942G
    Cisco Unified IP Phone 7945G
    Cisco Unified IP Phone 7961G
    Cisco Unified IP Phone 7961G-GE
    Cisco Unified IP Phone 7962G
    Cisco Unified IP Phone 7965G
    Cisco Unified IP Phone 7970G
    Cisco Unified IP Phone 7971G-GE
    Cisco Unified IP Phone 7975G

Original Details
================
This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.

Several models in the CiscoUnified IP Phones 7900 Series contain an input validation vulnerability that could allow a local, authenticated attacker to manipulate arbitrary areas of memory within the device. This is due to a failure to properly validate user-supplied parameters that are passed to kernel system calls. Multiple access vectors have been identified whereby an attacker could gain local access to the device. An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device, or remotely by first authenticating to the device via SSH. After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default.

What can you do?
================
The following Cisco Unified IP Phones 7900 Series devices are not affected by the vulnerability documented in this advisory:

    Cisco Unified IP Phone 7902G
    Cisco Unified IP Phone 7905G
    Cisco Unified IP Phone 7910G
    Cisco Unified IP Phone 7912G
    Cisco Unified IP Phone 7940
    Cisco Unified IP Phone 7960
    Cisco Unified IP Phone 7985G
    Cisco Unified Wireless IP Phone 7920 Versions 1/2/3
    Cisco Unified Wireless IP Phone 7921G
    Cisco Unified Wireless IP Phone 7925G
    Cisco Unified Wireless IP Phone 7925G-EX
    Cisco Unified Wireless IP Phone 7926G
    Cisco Unified IP Conference Station 7935
    Cisco Unified IP Conference Station 7936
    Cisco Unified IP Conference Station 7937G

Cisco has not released fixed software at this time. Cisco anticipates releasing an Engineering Special the week of January 21, which is focused on closing known attack vectors for the vulnerability documented in this advisory.

Administrators are advised to read and implement the mitigations found in the following Applied Mitigation Bulletin. If Cisco Unified IP Phones are not deployed on a Cisco infrastructure, administrators should at minimum consider deploying encrypted configurations and ensuring that SSH has been disabled. Configuration files from Cisco Unified Communications Manager Version 8.0(1) and later are signed by default for all affected Cisco Unified IP Phones 7900 Series devices.

Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability" [2]

What to tell your users?
========================
N/A

More information
================
[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone
[2] http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27763
[3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQ8A9KAAoJEPpzpNLI8SVovm4P/jeXqbZMUPajBIty6qR4S5Tt
jzTpCZ7evO2MxlWL7fta+dA0zFDc9eBJokFxQ6hYU3ZFImF8leB+6VNmIh7f9FGt
LP43lVuYWDZ7Xt7gLtS+49tAnf3lMxzyJFmfnyRqcXofhHSemKVVZ8t+/CAe3kSx
YBZY/3PgHCNl55CzPdTN6+jjbLXLiNIxR0HAdcbEjc0CWzn111qafeVFO+QILkvE
d5+O8n+v/1EeGtnGiBtTDGpzq1gWJY9hcHB1yuiSwUNgJxPD+aT7+Q0CPCb3iPpp
QJUvFimn1UUShCMceY4rpkZM+FEU0h5qbwD4QPODTKzAAWaQJuQBwuvEmyi8lM3O
FfummjKnJANYr6zUFt1m8rG84R/Qq82m3ptS6i8J6M8X6osud8mGaPk129KUqRMc
gFUDvGAkg3r1WT2SGWUhLDMQkyup02VdF9rwkWM0ZCDR6itL7MTbKr4x1ruwvs7t
MhIvn7TYppO7n+74XHKJqzKzpg2EZcsLSnIx+xZwLBzjfrlLL/AK1c+HtlZ7Hd78
IunG2EaUyrLYhFzvidQLf5SXe62mKrftWz/yvPFxUCGFFzCxnKdLhtL+UnCJVQqF
L+znX8tUftCdmSC/v2u4S5T7ALHqixGyZ8D+kRDSgpXEQRWOozcZ/7DRQqgb2iDb
VnMJzMJ58cnOJUxUDL1A
=PwCD
-----END PGP SIGNATURE-----