Synopsis
The remote host may give an attacker information useful for future attacks.
Description
The administrative page of the Cisco IP Phone is available via an embedded web server. Unfortunately, the web server gives away critical information that an attacker can use to gain access to the VoIP device. This information includes, but is not limited to, user accounts, passwords, TFTP servers, network addresses, and phone line information. An attacker exploiting this flaw would be able to elevate access on the VoIP devices and possibly gain control of the devices.
Solution
Use ACLs to ensure that only trusted administrators can access the administrative GUI.
