Sign-up

ID

VAR-200711-0089


CVE

CVE-2007-6190


TITLE

Cisco Unified IP Phone of HTTP Eavesdropping vulnerability in daemon

Trust: 0.8

sources: JVNDB: JVNDB-2007-002939

DESCRIPTION

The HTTP daemon in the Cisco Unified IP Phone, when the Extension Mobility feature is enabled, allows remote authenticated users of other phones associated with the same CUCM server to eavesdrop on the physical environment via a CiscoIPPhoneExecute message containing a URL attribute of an ExecuteItem element that specifies a Real-Time Transport Protocol (RTP) audio stream. Cisco Unified IP Phone is prone to a vulnerability that allows eavesdropping. An attacker can exploit this issue to transmit or receive audio stream data to an unsuspecting victim. Successfully exploiting this issue will allow the attacker to access sensitive information. If the attack is successful, the IP phone will turn on the microphone status light, and the phone will display an off-hook icon to indicate that a call is in progress. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Cisco Unified IP Phone Extension Mobility Weakness SECUNIA ADVISORY ID: SA27829 VERIFY ADVISORY: http://secunia.com/advisories/27829/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Cisco IP Phone 7900 Series http://secunia.com/product/2809/ DESCRIPTION: Joffrey Czarney has reported a weakness in Cisco Unified IP Phones, which can be exploited by malicious people to bypass certain security restrictions. The problem is that the Extension Mobility authentication credentials are not encrypted when communicating with the internal web server of an IP phone. This can be exploited to sniff the authentication credentials and perform various actions on a target IP phone (e.g. remotely login/logout a user or eavesdrop on calls). Successful exploitation requires that the Extension Mobility feature is enabled (not enabled by default). The weakness affects all Cisco IP Phones that support the Extension Mobility feature. SOLUTION: The vendor has provided some workaround to mitigate this issue. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: Joffrey Czarney, Telindus ORIGINAL ADVISORY: Cisco (100252): http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-6190 // JVNDB: JVNDB-2007-002939 // BID: 26668 // VULHUB: VHN-29552 // PACKETSTORM: 61357

AFFECTED PRODUCTS

vendor:ciscomodel:unified ip phonescope: - version: -

Trust: 1.4

vendor:ciscomodel:unified ip phonescope:eqversion:*

Trust: 1.0

vendor:ciscomodel:unified ip phonescope:eqversion:8.2(1)

Trust: 0.3

vendor:ciscomodel:unified ip phone 8.0 sr2scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 8.0 sr1scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7971gscope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7970gscope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7961gscope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7941gscope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7911gscope: - version: -

Trust: 0.3

vendor:ciscomodel:unified ip phone 7906gscope: - version: -

Trust: 0.3

sources: BID: 26668 // JVNDB: JVNDB-2007-002939 // CNNVD: CNNVD-200711-421 // NVD: CVE-2007-6190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-6190
value: LOW

Trust: 1.0

NVD: CVE-2007-6190
value: LOW

Trust: 0.8

CNNVD: CNNVD-200711-421
value: LOW

Trust: 0.6

VULHUB: VHN-29552
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2007-6190
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-29552
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-29552 // JVNDB: JVNDB-2007-002939 // CNNVD: CNNVD-200711-421 // NVD: CVE-2007-6190

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-29552 // JVNDB: JVNDB-2007-002939 // NVD: CVE-2007-6190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200711-421

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-200711-421

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-002939

PATCH
title:Document ID: 599url:http://www.cisco.com/en/US/products/csr/cisco-sr-20071128-phone.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-002939

EXTERNAL IDS
db:NVDid:CVE-2007-6190
Trust: 2.8
db:BIDid:26668
Trust: 2.0
db:SECUNIAid:27829
Trust: 1.8
db:SECTRACKid:1019006
Trust: 1.7
db:VUPENid:ADV-2007-4036
Trust: 1.7
db:OSVDBid:40874
Trust: 1.7
db:JVNDBid:JVNDB-2007-002939
Trust: 0.8
db:CISCOid:20071128 CISCO UNIFIED IP PHONE REMOTE EAVESDROPPING
Trust: 0.6
db:CNNVDid:CNNVD-200711-421
Trust: 0.6
db:VULHUBid:VHN-29552
Trust: 0.1
db:PACKETSTORMid:61357
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29552 // 
            
            
            
            BID: 26668 // 
            
            
            
            JVNDB: JVNDB-2007-002939 // 
            
            
            
            PACKETSTORM: 61357 // 
            
            
            
            CNNVD: CNNVD-200711-421 // 
            
            
            
            NVD: CVE-2007-6190

REFERENCES
url:http://www.cisco.com/en/us/products/products_security_response09186a0080903a6d.html
Trust: 2.0
url:http://www.securityfocus.com/bid/26668
Trust: 1.7
url:http://www.hack.lu/pres/hacklu07_remote_wiretapping.pdf
Trust: 1.7
url:http://osvdb.org/40874
Trust: 1.7
url:http://securitytracker.com/id?1019006
Trust: 1.7
url:http://secunia.com/advisories/27829
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/4036
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-6190
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-6190
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2007/4036
Trust: 0.6
url:http://www.cisco.com/en/us/products/hw/phones/ps379/index.html
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml
Trust: 0.1
url:http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/27829/
Trust: 0.1
url:http://secunia.com/product/2809/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29552 // 
            
            
            
            BID: 26668 // 
            
            
            
            JVNDB: JVNDB-2007-002939 // 
            
            
            
            PACKETSTORM: 61357 // 
            
            
            
            CNNVD: CNNVD-200711-421 // 
            
            
            
            NVD: CVE-2007-6190

CREDITS
Joffrey Czarney Joffrey.czarny@telindus.fr
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200711-421

SOURCES
db:VULHUBid:VHN-29552
db:BIDid:26668
db:JVNDBid:JVNDB-2007-002939
db:PACKETSTORMid:61357
db:CNNVDid:CNNVD-200711-421
db:NVDid:CVE-2007-6190

LAST UPDATE DATE
2025-04-10T23:07:23.613000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-29552date:2011-03-08T00:00:00
db:BIDid:26668date:2007-12-05T16:42:00
db:JVNDBid:JVNDB-2007-002939date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200711-421date:2007-11-30T00:00:00
db:NVDid:CVE-2007-6190date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-29552date:2007-11-30T00:00:00
db:BIDid:26668date:2007-12-01T00:00:00
db:JVNDBid:JVNDB-2007-002939date:2012-06-26T00:00:00
db:PACKETSTORMid:61357date:2007-11-30T05:36:59
db:CNNVDid:CNNVD-200711-421date:2007-11-29T00:00:00
db:NVDid:CVE-2007-6190date:2007-11-30T01:46:00