Wednesday, February 20, 2019

Cisco SPA112, SPA525, and SPA5x5 Series IP Phones Certificate Validation Vulnerability

A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation.

The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ipphone-certs


Security Impact Rating: Medium
CVE: CVE-2019-1683

from Cisco Security Advisory https://ift.tt/2DY0scd

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.