Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities

Vulnerability

Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges [1]. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface, which is enabled by default [1]. All versions of the SPA100 Series firmware prior to the fixed release are affected [1].

Exploitation

An attacker must first authenticate to the web-based management interface of an affected device [1]. Authentication requires network access to the device, and the attacker must be adjacent (i.e., on the same Layer 2 network segment) [1]. After authentication, the attacker sends a specially crafted request to the web-based management interface [1]. No user interaction beyond the initial authentication is required for the exploit [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with elevated privileges on the affected device [1]. This could lead to full compromise of the ATA, including the ability to modify configuration, intercept or redirect calls, or use the device as a pivot point for further attacks within the network [1].

Mitigation

Cisco has released free software updates that address these vulnerabilities [1]. The fixed firmware version is available from the Cisco Software Center. Customers with valid service contracts or who are entitled to free upgrades should obtain the fixed software from Cisco [1]. No workarounds are available; the recommended mitigation is to upgrade to the patched firmware version [1].