This is the Cisco PSIRT retort to a offering agreed(-upon) at the Hack.Lu 2007 safety meeting prep Joffrey Czarny of Telindus concerning a technic to remotely tap using Cisco Unified IP Phones.
The first description is at one's disposal at the following bond:
http://www.hack.lu/archive/2007/hacklu07_Remote_wiretapping.pdf
We greatly value the occasion to toil with researchers on shelter vulnerabilities and hail the opening to survey and second in result reports.
This Cisco Protection Reply is posted at the following bond:
Cisco confirms that an attacker with valid Expansion Mobility authentication credentials could origin a Cisco Unified IP Phone configured to put into practice the Stretching Mobility characteristic to send or get a Real-Time Carry Rule(s) (RTP) audio brooklet. This adeptness can be exploited to execute a far-off eavesdropping assault. All Cisco IP Phones that help the Stretching Mobility trait are weak.
Championing this assail to be feasible, some conditions demand to be satisfied:
The 2 spider's web server of the IP phone have to be enabled. The net server is enabled near defect.
The IP phone ought (to) be configured to put into practice the Stretching Mobility attribute, which is not enabled beside fault.
The attacker have to have or procure valid Increase Mobility authentication credentials.
Stretching Mobility authentication credentials are not tied to single IP phones. Any Increase Mobility explain configured on an IP phone's Cisco Unified Communications Director/CallManager (CUCM) server can be second-hand to complete an eavesdropping assail.
To acquire Stretching Mobility authentication credentials, an attacker needs corporal access to the See net to breath credentials. This can be consummate beside inserting a sniffing contrivance between an IP phone and twitch haven.
Already eavesdropping can take place, the consumer who is logged into the IP phone via Stretching Mobility should foremost be logged elsewhere of the IP phone. This can be consummate near sending an Expansion Mobility logout communication to the IP phone's Cisco Unified Communications Supervisor/CallManager (CUCM) server.
If exploitation is wealthy, any IP phone that is undergoing an eavesdropping assail wish keep its keynoter phone eminence lightweight enabled, and the phone desire exhibit an off-hook icon that indicates an strenuous shout is in (forward) movement. See interior testing near Cisco also revealed that the described assail produced unmoving crash on the IP phone while it was beneath assail.
There are workarounds to engagement this fall:
Disable the 1 net server on IP phones.
Disable the Expansion Mobility trait on IP phones.
Disable the keynoter phone / headset functionality on IP phones.
This assault can also be mitigated near restricting access to the See interior cobweb server of IP phones (TCP haven 80) using an moving access direct lean (over) (tACL). Prep more data on movement access command lists, mention this coupling:
Representing more facts close by Cisco-recommended unexcelled practices prep securely deploying Cisco Unified IP Phones, allusion this bond:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/6x/security.html#wp1045452
THIS Paper IS PROVIDED ON AN "AS IS" Base AND DOES NOT Intimate ANY Variety OF Warranty OR Guarantee, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR Suitability Championing A Special Make use of. YOUR Employ OF THE Data ON THE Certificate OR MATERIALS LINKED FROM THE Instrument IS AT YOUR OWN Danger. CISCO RESERVES THE Good TO Replacement OR UPDATE THIS Paper AT ANY Period.
No comments:
Post a Comment