Several models of Cisco Systems’ IP phones have a high-severity vulnerability, the company has acknowledged, but a patch won’t be available until January.
Nor is there a workaround for the Cisco Discovery Protocol processing feature in the Cisco IP Phone 7800 and 8800 Series (excluding the Cisco Wireless IP Phone 8821).
What administrators can think about is disabling Cisco Discovery Protocol on affected phones. Devices will then use LLDP for discovery of configuration data such as voice VLAN, and power negotiation.
However, Cisco warns that “this is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise.”
“While this mitigation has been deployed and was proven successful in a test environment,” Cisco says, “customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.”
The vulnerability in the Cisco Discovery Protocol processing feature of the affected phones could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. The hole is due to insufficient input validation of received Cisco Discovery Protocol packets, the Cisco notice says. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.