Cisco is cautioning of multiple critical distant code execution zero-days in the web-based regulatement interface of the finish-of-life Small Business SPA 300 and SPA 500 series IP phones.
The vfinishor has not made repaires useable for these devices and scatterd no mitigation tips, so engagers of those products will have to transfer to newer and actively aided models as soon as possible.
Vulnerability details
Cisco has disseald five flaws, three rated critical (CVSS v3.1 score: 9.8) and two sortd as high-cut offity (CVSS v3.1 score: 7.5).
The critical vulnerabilities are tracked as CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454.
These buffer overflow vulnerabilities permit an ungenuineated, distant attacker to carry out arbitrary orders on the underlying OS with root privileges by sfinishing a speciassociate planed HTTP ask to the aim device.
“A prosperous utilize could permit the attacker to overflow an inner buffer and carry out arbitrary orders at the root privilege level,” cautions Cisco in the bulletin.
The two high-cut offity flaws are CVE-2024-20451 and CVE-2024-20453. They are caengaged by inample verifys on HTTP packets, which permit harmful packets to caengage a denial of service on the impacted device.
Cisco notices that all five flaws impact all gentleware frees that run on SPA 300 and SPA 500 IP phones watchless of their configuration and are autonomous of one another, unbenevolenting that they can be utilizeed individuassociate.
End of aid
According to Cisco’s aid portal, SPA 300 was last selderly to customers in February 2019 and accomplished its finish of aid three years postponecessitater, in February 2022.
For SPA 500, the vfinishor stopped selling the challengingware on the same date it accomplished its finish of aid, on June 1, 2020.
It should be noticed that Cisco is still covering SPA 500 until May 31, 2025 for helderlyers of service tights or exceptional authorizationy terms, but SPA 300 isn’t covered since February 29, 2024.
Neither will get a security modernize, so engagers are directd to transition to newer, aided models, enjoy the Cisco IP Phone 8841 or a model from the Cisco 6800 series.
Cisco also proposes a Technology Migration Program (TMP), which permits customers to trade in eligible products and achieve accomprehendledge toward new providement.
Those uncertain about their selections are directd to reach out Cisco’s Technical Assistance Cgo in (TAC).