Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping

Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."

Re:So lemme get this right:

[Sique]

Normally, your phone is not reachable by the public network, the attacker has to be within the LAN to sent an XML packet to your phone. And if you have a SIP phone reachable from the outside, it still sits behind a Session Border Controller, which only forwards SIP, but not XML.

So yes, the severity is low, as the attacker has to be within your LAN in almost all scenarios.