Unauthenticated Remote Code Execution and Denial of Service Vulnerabilities in Cisco IP Phones
CVE-2021-1379
Key Information
- Vendor
- Cisco
- Status
- Cisco Ip Phones With Multiplatform Firmware
- Cisco Session Initiation Protocol (sip) Software
- Cisco Small Business Ip Phones
- Vendor
- CVE Published:
- 18 November 2024
Summary
Multiple vulnerabilities in the Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) implementations for Cisco IP Phone Series 68xx/78xx/88xx could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP phone. These vulnerabilities are due to missing checks when the IP phone processes a Cisco Discovery Protocol or LLDP packet. An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol or LLDP packet to the targeted IP phone. A successful exploit could allow the attacker to execute code on the affected IP phone or cause it to reload unexpectedly, resulting in a denial of service (DoS) condition.Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Affected Version(s)
Cisco IP Phones with Multiplatform Firmware = 11.1.2
Cisco IP Phones with Multiplatform Firmware = 11.2.1
Cisco IP Phones with Multiplatform Firmware = 11.2.3
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved