09-14-2013 02:29 AM - edited 03-21-2019 07:46 AM
There is remote control API avaiable on every phone on http://<ip>/CGI/Execute
It allow remote user to order the phone to dial any number, you can simulate key press, e.g. you can change anything accesible via phone menu and so on.
Such API is open by default in SIP mode - no authentication is required.
Such API is not mentioned in Administrator guide, so admin may not be aware of it. As result - any attacker with physical access to ethernet plug connected to phone network can order any other phone connected to such network to dial any number. As it's documented nowhere, most networks didn't changed default to something more secure. Bill fraud is immitent.
Access to /CGI/Execute can be restricted by 'CISCO_XML_EXE_Auth_Mode' option, but it's not documented. Unauthorized description based on observations can be read here: CiscoIPPhoneExecute Dial but note that it will broke access to WWW UI, see Broken WWW UI on SPA504G
All SPA5xx, SPA3xx, SPA1xx and SPA2xx with current firmware seems to be affected by the issue (it doesn't mean that older firmwares are not vulnerable, I just didn't do test on them).
Workaround:
Because bill fraud may occur, it needs to be considered severe security incident.
Phones in SPCP mode has not been analyzed.
04-14-2015 05:59 AM
The Broken WWW UI issue has been solved in 7.5.6 firmware.
But API is still wide open by default making phone to be vulnerable.
See also: Bug in the latest spa3XX-5XXG phone firmware 7.5.6 - Can not transfer anonymous calls
Updated: see CSCuo52482, seems to be solved in 7.5.7s
01-07-2017 08:55 AM
Note that default value of CISCO_XML_EXE_Auth_Mode has been changed from Trusted to Local Credential in 7.5.7s firmware.
Also, CISCO_XML_EXE_Enable with default value of No has been introduced in the same version.
See also: Added/removed/changed XML tags between N and M firmware of SPA50x
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide