Dump these insecure phone adapters because we're not fixing them, says Cisco

Security hole ranks 9.8 out of 10 in severity, 0 out of 10 in patch availability

There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.

In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.

"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

The Register has asked Cisco for more information, and will update the story if a response comes in.

The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don't ask us to explain what those are) to voice-over-IP systems without having to upgrade them.

The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company wrote. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

DBAPPsecurity, a network security company in China, alerted Cisco to the vulnerability, according to the network box maker. Cisco's Product Security Incident Response Team (PSIRT) doesn't know of any exploitation of the vulnerability.

The ATA 190 Series adapter has been available for almost a decade and, like the SPA112 adapter, enables enterprises to turn analog devices like phones, fax machines, and paging systems into IP devices. They can then be used by companies with enterprise networks, small offices, and unified communications-as-a-service cloud operations.

We note that the 190 specifically has its own final updates scheduled for March 2024; Cisco recommends people use the ATA 191 and later models.

Before migrating to whichever new adapter, organizations should make sure the device will address their network needs and that their hardware and software configurations are supported by the device, Cisco wrote.

While there doesn't seem to have been attacks exploiting the vulnerability in the wild, upgrading to still-supported adapters would make sense. Cisco's Talos threat intelligence unit said last month that Russian intelligence operatives, working under the APT28 threat group umbrella, in 2021 exploited an old vulnerability in Cisco routers to gather network data from US and European government agencies.

Cisco had issued a fix for the flaw in 2017, though some routers remain unpatched. Talos said miscreants are only getting better and better at their attacks on networks, including exploiting known flaws in vulnerable devices. ®

Send us news

Veeam says critical flaw can't be abused to trash backups

It's still a rough one, so patch up

Google Cloud shows it can break things for lots of customers – not just one at a time

Deleted about 40 networks that services needed, causing late Thursday fun

Researchers call out QNAP for dragging its heels on patch development

WatchTowr publishes report claiming vendor failed to issue fixes after four months

Starlink offers 'unusually hostile environment' to TCP

Hopping satellites every 15 seconds will do that to a protocol, natch

Critical Fluent Bit bug affects all major cloud providers, say researchers

Crashes galore, plus especially crafty crims could use it for much worse

GitHub Enterprise Server patches 10-outta-10 critical hole

On the bright side, someone made up to $30,000+ for finding it

Big Tech is not much help when fighting a junta, and FOSS doesn't ride to the rescue

Opponents of Myanmar’s internet-nobbling military government don't like when Facebook asks for their real names

TR-069, a protocol that made broadband manageable, turns 20. What's coming next?

In less than 13 minutes, we'll get you up to speed on USP

John Deere now considers VMs to be legacy tech, Ethernet and Wi-Fi on the brink

Plans robo-tractors to help as folks flee the farm but the planet stays hungry

NCSC CTO: Broken market must be fixed to usher in new tech

It may take ten years but vendors must be held accountable for the vulnerabilities they introduce

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

Undersea cables must have high-priority protection before they become top targets

It's 'essential to national security' ex-Navy intel officer tells us