Dump these insecure phone adapters because we're not fixing them, says Cisco

Security hole ranks 9.8 out of 10 in severity, 0 out of 10 in patch availability

There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.

In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.

"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

The Register has asked Cisco for more information, and will update the story if a response comes in.

The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don't ask us to explain what those are) to voice-over-IP systems without having to upgrade them.

The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company wrote. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

DBAPPsecurity, a network security company in China, alerted Cisco to the vulnerability, according to the network box maker. Cisco's Product Security Incident Response Team (PSIRT) doesn't know of any exploitation of the vulnerability.

The ATA 190 Series adapter has been available for almost a decade and, like the SPA112 adapter, enables enterprises to turn analog devices like phones, fax machines, and paging systems into IP devices. They can then be used by companies with enterprise networks, small offices, and unified communications-as-a-service cloud operations.

We note that the 190 specifically has its own final updates scheduled for March 2024; Cisco recommends people use the ATA 191 and later models.

Before migrating to whichever new adapter, organizations should make sure the device will address their network needs and that their hardware and software configurations are supported by the device, Cisco wrote.

While there doesn't seem to have been attacks exploiting the vulnerability in the wild, upgrading to still-supported adapters would make sense. Cisco's Talos threat intelligence unit said last month that Russian intelligence operatives, working under the APT28 threat group umbrella, in 2021 exploited an old vulnerability in Cisco routers to gather network data from US and European government agencies.

Cisco had issued a fix for the flaw in 2017, though some routers remain unpatched. Talos said miscreants are only getting better and better at their attacks on networks, including exploiting known flaws in vulnerable devices. ®

Send us news

Ransomware fiends pounce on Cisco VPN brute-force zero-day flaw

No patch yet – but you've got strong creds and MFA enabled anyway, yeah?

Cisco spends $28B on data cruncher Splunk in cybersecurity push

$157/share cash deal is the largest acquisition in networking titan's history

Cisco dumps its Hyperflex hyperconverged infrastructure

To Nutanix go the spoils, to VMware users comes a compatibility nightmare

BT confirms it's switching off 3G in UK from Jan next year

Time to retire that Nokia N97 at last?

Google warns infoseccers: Beware of North Korean spies sliding into your DMs

ALSO: Verizon turns self in for reduced fine, malvertising comes to macOS, and this week's critical vulnerabilities

EE touts next-gen broadband Smart Hub with Wi-Fi 7 for 2024

Sure to lure in a few in the WFH crowd ... but no pricing yet

Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all

Unauthenticated and remote code execution possible without dropping a file on disk

California passes bill to set up one-stop data deletion shop

Also, LockBit gets a new second stringer, AirTag owners find yet another illicit use, and this week's critical vulns

Vodafone claims first space-based 5G phone call – no modifications needed

The roaming charges must be out of this world

Sysadmin and spouse admit to part in 'massive' pirated Avaya licenses scam

Could spend 20 years in prison after selling $88M in ADI software keys

Starlink speeds ahead in the satellite race but rivals aren't starstruck just yet

Download rates stabilize after influx of users dragged on service

Amazon's three rocket makers insist Project Kuiper will launch on schedule

It's not as if space is hard, is it?