Security

CSO

Dump these insecure phone adapters because we're not fixing them, says Cisco

Security hole ranks 9.8 out of 10 in severity, 0 out of 10 in patch availability


There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.

In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.

"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

The Register has asked Cisco for more information, and will update the story if a response comes in.

The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don't ask us to explain what those are) to voice-over-IP systems without having to upgrade them.

The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company wrote. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

DBAPPsecurity, a network security company in China, alerted Cisco to the vulnerability, according to the network box maker. Cisco's Product Security Incident Response Team (PSIRT) doesn't know of any exploitation of the vulnerability.

The ATA 190 Series adapter has been available for almost a decade and, like the SPA112 adapter, enables enterprises to turn analog devices like phones, fax machines, and paging systems into IP devices. They can then be used by companies with enterprise networks, small offices, and unified communications-as-a-service cloud operations.

We note that the 190 specifically has its own final updates scheduled for March 2024; Cisco recommends people use the ATA 191 and later models.

Before migrating to whichever new adapter, organizations should make sure the device will address their network needs and that their hardware and software configurations are supported by the device, Cisco wrote.

While there doesn't seem to have been attacks exploiting the vulnerability in the wild, upgrading to still-supported adapters would make sense. Cisco's Talos threat intelligence unit said last month that Russian intelligence operatives, working under the APT28 threat group umbrella, in 2021 exploited an old vulnerability in Cisco routers to gather network data from US and European government agencies.

Cisco had issued a fix for the flaw in 2017, though some routers remain unpatched. Talos said miscreants are only getting better and better at their attacks on networks, including exploiting known flaws in vulnerable devices. ®

Send us news
90 Comments

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Still unpatched 100+ days later, watchTowr says

OpenWrt orders router firmware updates after supply chain attack scare

A couple of bugs lead to a potentially bad time

Perfect 10 directory traversal vuln hits SailPoint's IAM solution

20-year-old info disclosure class bug still pervades security software

QNAP and Veritas dump 30-plus vulns over the weekend

Just what you want to find when you start a new week

AI ambition is pushing copper to its breaking point

Ayar Labs contends silicon photonics will be key to scaling beyond the rack and taming the heat

China’s tech giants deliver chips for Ethernet variant tuned to HPC and AI workloads

'Global Scheduling Ethernet' looks a lot like tech the Ultra Ethernet Consortium is also working on

D-Link tells users to trash old VPN routers over bug too dangerous to identify

Vendor offers 20% discount on new model, but not patches

'Alarming' security bugs lay low in Linux's needrestart utility for 10 years

Update now: Qualys says flaws give root to local users, 'easily exploitable', default in Ubuntu Server

Palo Alto Networks tackles firewall-busting zero-days with critical patches

Amazing that these two bugs got into a production appliance, say researchers

Cisco combines Meraki and Catalyst into single wireless brand

Simplifies licenses and adds more 'included value' such as compulsory support

HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code

'Once again, we've lost a little more faith in the internet,' researcher says