Security

CSO

Dump these insecure phone adapters because we're not fixing them, says Cisco

Security hole ranks 9.8 out of 10 in severity, 0 out of 10 in patch availability


There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.

In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.

"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

The Register has asked Cisco for more information, and will update the story if a response comes in.

The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don't ask us to explain what those are) to voice-over-IP systems without having to upgrade them.

The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company wrote. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

DBAPPsecurity, a network security company in China, alerted Cisco to the vulnerability, according to the network box maker. Cisco's Product Security Incident Response Team (PSIRT) doesn't know of any exploitation of the vulnerability.

The ATA 190 Series adapter has been available for almost a decade and, like the SPA112 adapter, enables enterprises to turn analog devices like phones, fax machines, and paging systems into IP devices. They can then be used by companies with enterprise networks, small offices, and unified communications-as-a-service cloud operations.

We note that the 190 specifically has its own final updates scheduled for March 2024; Cisco recommends people use the ATA 191 and later models.

Before migrating to whichever new adapter, organizations should make sure the device will address their network needs and that their hardware and software configurations are supported by the device, Cisco wrote.

While there doesn't seem to have been attacks exploiting the vulnerability in the wild, upgrading to still-supported adapters would make sense. Cisco's Talos threat intelligence unit said last month that Russian intelligence operatives, working under the APT28 threat group umbrella, in 2021 exploited an old vulnerability in Cisco routers to gather network data from US and European government agencies.

Cisco had issued a fix for the flaw in 2017, though some routers remain unpatched. Talos said miscreants are only getting better and better at their attacks on networks, including exploiting known flaws in vulnerable devices. ®

Send us news
90 Comments

Cisco returns to load balancing market as it chases VMware refugees

Uses eBPF, which both Google and Meta have proven out at scale

Cisco Borgs all its management tools into a single Cloud Control console

Not just a salve for netadmins – this is also a play to ensure Switchzilla is AI-relevant

Cisco president says dredging coding syntax from wetware memory wastes engineers' expensive synapses

Wants to let AI do the boring bits so his team can invent more cool stuff

Apple fixes zero-click exploit underpinning Paragon spyware attacks

Zero-day potentially tied to around 100 suspected infections in 2025 and a spyware scandal on the continent

CIO wants to grow tech team by cloning staff as digital twins and AI agents

UC San Diego hopes humans spend less time fighting fires, more time repelling 'exquisite' attacks from abroad that researchers accidentally invited

BT won't budge over pay hike for manager grade employees

Prospect union threatens to up campaign, raise dispute with CEO

PCIe 7.0 specs finalized at 512 GBps bandwidth, PCIe 8.0 in the pipeline

Work on next gen already underway, while bandwidth needs for datacenters just keep rising

Broadcom aims a Tomahawk at Nvidia's AI networking empire with 102.4T photonic switch

Chip giant's latest ASIC promises 200GbE to up to 512 GPUs

Broadcom sends VMware to record revenue, margins, as most big customers sign for private cloud bundles

Chip biz surging too as CEO Hock Tan predicts optical GPU interconnects are a year or two away

Ivanti makes dedicated fans of Chinese spies who just can't resist attacking its buggy kit

If it ain't broke?

Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms

Update before that proof-of-concept comes to bite

To progress as an engineer career-wise, become a great communicator

It'll even help you develop technical skills