Arbitrary Code Execution Vulnerability in Broadcom MediaxChange Firmware Affecting Cisco IP Phones
CVE-2021-33478

6.8MEDIUM

Key Information:

Vendor: Cisco
Status: Ip Phone 8800 Series With Multiplatform Firmware; Ip Phone 8861 With Multiplatform Firmware; Ip Phone 8811 With Multiplatform Firmware; Ip Phone 8841 With Multiplatform Firmware
Vendor: CVE Published:; 22 July 2021

Summary

The TrustZone implementation in specific versions of the Broadcom MediaxChange firmware presents a significant security issue. An unauthenticated attacker, who gains physical access to the affected devices, may exploit this vulnerability to execute arbitrary code within the Trusted Execution Environment (TEE). This exploit necessitates the physical disassembly of the device, allowing manipulation of voltage and current on critical chip pins. Various Cisco IP Phone models are affected, compromising their security integrity.

References

https://tools.cisco.com/security/center/content/CiscoSecu...

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 22, 2021
Vulnerability Reserved
May 20, 2021