A selection of IP phone systems sold by Cisco were recently put on alert due to a vulnerability in their firmware that could allow an attacker to eavesdrop on conversations.
Cisco said its SPA300 and SPA500 series IP small business phone systems contain a flaw in their firmware related to improper authentication settings in the default configuration. As the company recently warned, an attacker could exploit the vulnerability by sending a crafted XML request to an affected device.
As of writing, Cisco said it is aware of the vulnerability in version 7.5.5 of the systems. Later models may also be vulnerable.
The good news for businesses is that an attacker may need access to trusted, internal networks behind a firewall to send the XML requests to targets. This of course will reduce the likelihood of a successful exploit, Cisco said.
There’s currently no fix available (a patch is in the works) but in the meantime, administrators are advised to enable XML Execution authentication in the configuration settings of affected devices and only grant network access to trusted users. Admins can also help protect against external attacks by using a solid firewall strategy.
In the post-Snowden era, it seems as though vulnerabilities like this keep popping up all the time and are often uncovered due to renewed scrutiny of mission-critical infrastructure.