Last week, the multinational digital communications technology conglomerate Cisco Systems, Inc. disclosed a vulnerability in the web-based management interface of its SPA112 2-Port Phone Adapters, which could attract an unauthenticated, remote attacker for them to execute arbitrary code on the devices.
Can Cisco fix this? Well, the company also said that they are not fixing this vulnerability, so you can feel free to throw the device away in the trash – unless you want to compromise your security. Here are more details about this news.
Tracked as CVE-2023-20126 and tagged “Critical” with a CVSS score of 9.8, the vulnerability is brought about by a missing authentication process in the firmware upgrade feature.
“A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device,” Cisco said in its security advisory. “Cisco has not released firmware updates to address this vulnerability. There are no workarounds that address this vulnerability.”
The company added that an attacker could exploit this vulnerability if they successfully upgrade an affected device to a crafted version of the firmware. If this happens, the attacker can execute arbitrary code on the affected apparatus with full privileges.
According to the official product page, the Cisco SPA112 2-Port Phone Adapters allowed individuals to use their phones over the Internet without compromising voice quality or phone and fax features. This device also provides the benefits of high-quality voice-over-Internet protocol or VoIP without needing to upgrade the users’ existing analog phones.
The product page also said that this product is no longer being sold.
Cisco urged customers to migrate to a Cisco ATA 190 Series Analog Telephone Adapter. This adapter has been available for nearly a decade now. Like the SPA112 adapter, it enables businesses to turn analog devices such as phones, paging systems, and fax machines into IP devices. Companies with enterprise networks, small businesses, and unified communications-as-a-service cloud operations can then utilize these.
But, this ATA migration may only be a short-term solution, not a very viable one. It has its own end-of-sale and end-of-life update scheduled in March 2024.
The company also instructed customers on what to do when considering a device migration. Cisco said they must regularly consult the advisories for its products, available from the Cisco Security Advisories page, to find out exposure and a total upgrade solution.
It also advised organizations to ensure the device will provide for their specific network needs, and that the device must support their hardware and software configurations.
“If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers,” Cisco said.
Upgrading to supported adapters would prevent things like what happened to Cisco’s routers last month when Russian state-sponsored hackers deployed custom malware using those routers, PVP Live previously reported.