Cisco Small Business SPA300 and SPA500 Series IP Phones Unauthenticated Remote Dial (CVE-2015-0670)

medium Tenable OT Security Plugin ID 502768

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The default configuration of Cisco Small Business IP phones SPA 300 7.5.5 and SPA 500 7.5.5 does not properly support authentication, which allows remote attackers to read audio-stream data or originate telephone calls via a crafted XML request, aka Bug ID CSCuo52482.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

Plugin Details

Severity: Medium

ID: 502768

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 12/4/2024

Updated: 12/5/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2015-0670

Vulnerability Information

CPE: cpe:/h:cisco:spa_514g_4-line_ip_phone, cpe:/h:cisco:spa_301_1_line_ip_phone, cpe:/h:cisco:spa_512g_1-line_ip_phone, cpe:/h:cisco:spa_508g_8-line_ip_phone, cpe:/h:cisco:spa_509g_12-line_ip_phone, cpe:/h:cisco:spa_525g2_5-line_ip_phone, cpe:/h:cisco:spa_303_3_line_ip_phone, cpe:/h:cisco:spa_502g_1-line_ip_phone, cpe:/h:cisco:spa_504g_4-line_ip_phone, cpe:/h:cisco:spa_525g_5-line_ip_phone, cpe:/h:cisco:spa_501g_8-line_ip_phone

Required KB Items: Tenable.ot/Cisco

Exploit Ease: No known exploits are available

Patch Publication Date: 3/21/2015

Vulnerability Publication Date: 3/21/2015

Reference Information

CVE: CVE-2015-0670

CWE: 287

Detections

Analytics