CVE-2020-3161
Published: 15 April 2020
Summary
CVE-2020-3161 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ip Phone 8865 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability exists in the web server component of Cisco IP Phones due to improper input validation of HTTP requests, tracked as CWE-20. This flaw affects multiple models of Cisco IP Phones and carries a CVSS v3.1 score of 9.8, reflecting its critical severity and network-exploitable nature without authentication.
An unauthenticated remote attacker can exploit the issue by sending a specially crafted HTTP request to the device's web server. Successful exploitation grants the ability to execute arbitrary code with root privileges on the phone or trigger a reload that results in a denial-of-service condition.
The Cisco Security Advisory cisco-sa-voip-phones-rce-dos-rB6EeRXs and public proof-of-concept files on Packet Storm detail the remote code execution and denial-of-service vectors. CVE-2020-3161 is listed in CISA's Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-24432
Vulnerability details
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The…
more
vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP inputs to the phone web server, blocking the crafted requests that exploit the CWE-20 flaw.
Boundary-protection mechanisms can restrict or filter traffic to the exposed web server, reducing the attack surface for unauthenticated remote exploitation.
Mandates timely remediation of the known vulnerable web-server code, eliminating the root cause before exploitation occurs.