For our customers with Cisco SPA 300- and 500-series telephones ought to be aware of a security problem described here in Network World (Hat tip goes to Chris Watts of Tech Analysis). The Cisco advisory is here and states that, “Cisco Small Business SPA 300 and 500 Series IP phones contain a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information. Updates are not available.”
If you are currently using these telephone models, be aware of the vulnerability, especially with remote telephones or telephones connected to a hosted or cloud-based service. Among Cisco’s recommendations:
- Enable XML Execution authentication in the configuration settings of affected devices;
- Check your firewall settings, though this will do little for teleworkers on premise and remote workers on cloud/hosted services;
- Consider using more stringent ACLs (or internally you can use MAC address authentication with DHCP-ed.) to restrict what gets into or on your network.
This has happened before with Cisco telephones. Not to gloat, since we know that every system is subject to vulnerabilities at some point or another. But gloating is fun.
Share and Enjoy