Cisco SPA112 VoIP Adapter unfixable security hole rated 9.8/10

Forums › VoIP › Cisco SPA112 VoIP Adapter unfixable security hole rated 9.8/10

PolicyGuy

1726 posts

Uber Geek

ID Verified

Lifetime subscriber

#304465 6-May-2023 13:41

According to The Register

There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.
In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.
"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

😬

https://www.theregister.com/2023/05/05/cisco_phone_adapter_vulnerabilitty/

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3073088 6-May-2023 14:00

As being so widely used that is pretty poor form from Cisco end of life or not.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

huckster

842 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3073089 6-May-2023 14:10

"The flaw is in the web-based management interface for the two-port adapter".

I have one, not currently using it, but the above means I'm not going to immediately throw it out.

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3073092 6-May-2023 14:20

@huckster Here's the problem though. People port forward so suddenly there are more vulnerable things out there on the general internet:

I do note that is for the 122, but similar numbers for the 112 and both run basically identical firmware.

huckster

842 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3073094 6-May-2023 14:30

As is always the case with port-forwarding. :-)

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#3073180 6-May-2023 18:47

I changed to a Grandstream HT801 a long time ago which has had the remote command execution vulnerabilty fixed.

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

radicall

94 posts

Master Geek

Trusted

Radicall

#3073187 6-May-2023 19:02

The way CISCO sacrificed the SME market here in New Zealand is repugnant to the senses

______________________________________ www.radicall.co.nz ________________________________________

Be Successful WITH US! - Light ideas for YOUR SUCCESS - Business Solutions OF A NEW AGE - Result Driven IDEAS _______________________________________________________________________________________________

mentalinc

3229 posts

Uber Geek

Trusted

#3073192 6-May-2023 20:16

So, what re people recommending for a replacement/alternative for 2Talk

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.

nztim

3814 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#3073195 6-May-2023 20:55

Should not be an issue, I still use these at my parents and its behind NAT and so web management is not exposed, you would have to be an idiot to do that.

So an attack would have to come from inside the network, maybe I will put it on another VLAN and firewall it off if I am worried about this

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

RunningMan

8954 posts

Uber Geek

#3073241 6-May-2023 21:24

michaelmurfy:

I do note that is for the 122, but similar numbers for the 112 and both run basically identical firmware.

They run the same firmware, but there is only an advisery for the 112, and the 122 is not listed as a vulnerable product on that list. This may be because the webif can be removed from the WAN port on a 122 if it's in router mode.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#3073272 7-May-2023 09:02

nztim: Should not be an issue, I still use these at my parents and its behind NAT and so web management is not exposed, you would have to be an idiot to do that.

So an attack would have to come from inside the network, maybe I will put it on another VLAN and firewall it off if I am worried about this

Hi there are both grandstream and yeastar ATAs that work perfectly fine, as for this vulnerability seems like another of those that are reported regularly where any normal precautions will never expose you or the device so no need to do anything.

Simple precautions, don't expose it to the internet, ie no port forwards to it, and any remote access methods you have to the lan check that it has sensible protection, if you don't know what you are doing, call a professional.

Cyril

sultanoswing

814 posts

Ultimate Geek

#3078824 22-May-2023 23:16

Gordy7:

I changed to a Grandstream HT801 a long time ago which has had the remote command execution vulnerabilty fixed.

That's good to know - not that I expose my ATAs' web interfaces to the WAN, however. I just picked up an HT801 a couple of weeks ago, since I thought my PAP2T and then replacement SPA2102 had died. The symptoms on both were constant rebooting every 10 seconds. It was only after buying the SPA2102, then replacing all its caps, that I realised the network port on my switch had died - and the PAP2T and SPA112/122 all reboot if they can't get a network connection. Sigh. At least I have a bunch of spare ATAs for the years ahead!