Unauthenticated Remote Code Execution and Denial of Service Vulnerabilities in Cisco IP Phones
CVE-2021-1379

6.5MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Ip Phones With Multiplatform Firmware
Cisco Session Initiation Protocol (sip) Software
Cisco Small Business Ip Phones
Vendor
CVE Published:
18 November 2024

Summary

Vulnerabilities exist in the Cisco Discovery Protocol and Link Layer Discovery Protocol implementations within Cisco IP Phone Series 68xx/78xx/88xx models. These vulnerabilities stem from inadequate security checks when processing incoming Cisco Discovery Protocol or LLDP packets, allowing an unauthenticated, adjacent attacker to potentially execute arbitrary code remotely or cause unintended reboots of the affected devices. Exploitation requires the attacker to be on the same broadcast domain, highlighting the importance of securing network segments to mitigate such risks. Cisco has made software updates available to resolve these vulnerabilities, with no effective workarounds identified.

Affected Version(s)

Cisco IP Phones with Multiplatform Firmware 11.1.2

Cisco IP Phones with Multiplatform Firmware 11.2.1

Cisco IP Phones with Multiplatform Firmware 11.2.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.