back to article Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now's the time to junk 'em

A boffin from British defence contractor BAE has found three critical flaws in Cisco's Small Business SPA300 and SPA500 IP phones – and another couple of nasties – none of which will be fixed or mitigated. In an advisory published Wednesday, Cisco explained the three most serious flaws – all rated CVSS 9.8 out of 10 – affect …

  1. cFortC

    Phones still OK on an inside non-routable network?

    I've got three SPA525G's. I noticed back in 2022 that an "old QuoVadis certificate issue" was reported, eventually destined to brick these phones. But so far, they have continued working.

    I have a question about this newly reported critical flaw in the web administration interface. My phones are all on the "inside LAN" and are presumably protected by hackers on the WAN by my IP gateway router which prevents incoming connection requests, performs NAT, and so on.

    Do I still need to be worried about this attack vector?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Phones still OK on an inside non-routable network?

      Yeah, if no one untrusted can reach the web interface of the devices, they can't exploit it. If someone malicious is on your network and can reach them, then they can attack.

      As for if you should worry about it, I think it comes down to this: If there's an intruder or malicious user in your network, are you going to worry about the phones as a priority or whatever else they could do first? You might find a rogue insider or compromised machine has other goals than screwing with your phones.

      I guess a particularly nasty intruder might seek to exfiltrate data or run some malware, and then to hamper your efforts to fix things, attack the phones.

      But another point: The attacker would have to craft a buffer overflow exploit, which is fiddly, or just crash them with a more trivial exploit. It depends on how much pain someone wants to cause you.

      C.

      1. doublelayer Silver badge

        Re: Phones still OK on an inside non-routable network?

        I suppose the theoretical attacker who has lots of time on their hands and good skill could make this really nasty by installing C&C systems on all the phones. Then, after something like a ransomware attack where the computers were completely wiped, you think they're gone because all the computers have been reimaged from a clean state, but they can come back from what looked like a dumb desk phone and do so over any part of the network in which those phones are installed. It would still require the same access you described, but that's probably the worst thing they could do with it. The risk may be low, but unfortunately the potential harm in the worst case is substantial.

        1. Anonymous Coward
          Anonymous Coward

          Re: Phones still OK on an inside non-routable network?

          Yes, depending on what the phone OS can support they could be turned into beachheads (or that could be added to them).

          That's why the whole "hard shell - soft center" model is on its way out in favour of zero trust. As soon as someone has established a beachhead (by, for instance, someone following a phishing link and their endpoint getting hit with a zero day) the rest of your inside will fall as it'll have the same weakness as has been deployed to establish the point of entry, and not all of these tools need a C&C link to work.

          Sadly, there are a few geniuses on the criminal side too - some of them even in the employ of governments.

          1. osxtra

            Re: Phones still OK on an inside non-routable network?

            So far as them becoming beachheads, couldn't one use firewall rules to prevent them from reaching anything but the VoIP provider? That would in theory protect workstations and whatnot on the LAN.

            1. doublelayer Silver badge

              Re: Phones still OK on an inside non-routable network?

              It depends on your setup. I'm not sure what these models look like and I'm not going to bother looking it up, but a lot of phones like this that I know have have two ethernet ports. You plug in the one cable from the wall, then you plug a passthrough cable for the computer. Now that phone has its own internal address which you can firewall and it's got access to the user's computer traffic as well. It can send traffic as the user's computer, allowing it onto that network. So if you do that, probably firewall rules won't be enough.

              1. osxtra

                Re: Phones still OK on an inside non-routable network?

                That's a good point, but hopefully folks are only plugging printers into the PC port. Most of those phones offer a 10/100 bandwidth.

                It was a great idea though, having the second port on those phones, as many businesses only have the one plug at each desk. In a finished building, the cost of adding a second or third wire could be difficult to swallow. Any time these days for new construction I always get the customer to run at least two per desk (PC for one, Phone the other, with printer tethered to phone as needed). Another alternative would be small managed switches if you needed more than that amount of connectivity at any one location.

            2. Anonymous Coward
              Anonymous Coward

              Re: Phones still OK on an inside non-routable network?

              Actually, you have a point in that in most of these setups already live on their own LAN or VLAN. Not for security, but for QoS - VOIP and latency don't combine well. So an old issue and the resulting measures could very well contain the problem - at least to the phones.

    2. david 12 Silver badge

      Re: Phones still OK on an inside non-routable network?

      Phones like this, particularly the very old models on very early VOIP networks, were sometimes directly connected to public networks, or even Very Large private networks. When you've got thousands of phones on your network, the line between 'public' and 'private' becomes blurred. If you're not in that category, it's more another irritating "out of support" factor which makes your phones non-upgradable and with zero value on re-sale.

      1. Alan Brown Silver badge

        Re: Phones still OK on an inside non-routable network?

        "or even Very Large private networks"

        a VLPN _should_ have firewalls between segments and a degree of paranoia about internal traffic - but of course that tends to be rare

    3. Alan Brown Silver badge

      Re: Phones still OK on an inside non-routable network?

      The amount of PPPP (and similar) stuff creating tunnels means that you can't rely on your firewall to be 100% effective

      Ideally you have something that does deep packet inspection and blocks tunnels but that's going to be out of the affordability range of the average business

  2. Henry Wertz 1 Gold badge

    what's the point of the support contract?

    So what's the point of the support contract? So the SPA300 is EOL,. Why would ANYBODY pay a penny for support for the SPA500 (through 2025) if they already say they are not patching critical security vulnerabilities on it? If they aren't doing that they aren't supporting it.

    1. Doctor Syntax Silver badge

      Re: what's the point of the support contract?

      To make money for Cisco, of course and to tick the box that says "Must have support contract".

  3. Anonymous Coward
    Anonymous Coward

    It's a desk phone.

    First, Cisco's behavior should not be legal. Desk phones last for DECADES. The only reason a phone should be "out of support" is that the company that built it went out of business.

    Second, it's a phone. I've got one of these, and it's not going anywhere. I got it for free, it's hooked up to hamshack hotline, and I don't really give a shit if it gets hacked, which it won't be because it's not accessible from outside my house. I've never run an update on it, because I don't care.

  4. Pascal Monett Silver badge

    Cisco, again

    My $Diety, aren't we all happy that we have banned Huawei.

    When you have friends like Cisco, you don't need enemies.

    1. Duncan Macdonald
      Unhappy

      Re: Cisco, again

      Having got Huawei banned, Cisco sees no need to provide support as its customers can not vote with their feet and move to much better and cheaper Huawei equipment.

      America - the country with the best government that money can buy :-(((

      1. Alan Brown Silver badge

        Re: Cisco, again

        Captive markets are great, aren't they?

        Driving innovation in the USA vehicle market since 1963 (hint: Chicken Tax)

    2. pc-fluesterer.info
      Black Helicopters

      Re: Cisco, again

      Yes, particularly: "An attacker could ... send a crafted HTTP request to one of the phones, ... making it possible to execute arbitrary commands – with ... root privileges."

      Noooo, we don't build in backdoors, promised, honour bright!

  5. jake Silver badge

    Replace the phone?

    My desk telephone is about 70 years old. It's a 1950s Western Electric Model 500. It does everything I need a telephone in that location to do, except DTMF, which was easily rectified with a little circuitry and a couple switches and buttons. My telco still supports pulse dialing, the DTMF option is handy for accessing voice-mail torture devices "helpfully" provided by third parties.

    Sometimes a telephone has no need to be anything but a telephone.

    Before you knee-jerk a "luddite" comment, where will all the money you have spent on telephones be in 70ish years? Down the toilet, that's where. Think about it.

    1. Blue Shirt Guy

      Re: Replace the phone?

      Surely you've heard of Silicon Heaven?

      1. jake Silver badge

        Re: Replace the phone?

        But it's not dead yet.

      2. Anonymous Coward
        Anonymous Coward

        Re: Replace the phone?

        Yeah, that's an awesome strip bar. Oh, wait, you wrote 'Silicon Heaven'.

    2. NITS

      Re: Replace the phone?

      A Western Electric 300-series phone would not have this issue, either.

      1. PRR Silver badge

        Re: Replace the phone?

        > where will all the money you have spent on telephones be in 70ish years? Down the toilet

        And me too. Since I got good lightning protection, I get 10 years service out of $10 yard-sale phones.

        (And I got very lucky with going-out-of-business sale: a good-brand Butt Set. A hot-rodded Bell 500's guts on a beltclip with clip/probe leads to sort wiring at the top of a pole.)

        > A Western Electric 300-series phone would not have this issue, either.

        No; but they sound like crap.

  6. GreggS

    I'm Brian....

  7. jeremya
    Boffin

    Any option for custom firmware

    Out of curiosity, is there any programmers's model for cisco phones?

    That is documentation on the CPU, the circuit diagram(s), hardware components (registers etc), and any code signing required.

    I know cisco has admitted they have put a lot of GPL software into at least some of their phones without mentioning it till questioned.

    Would that process have resulted in cisco disclosing the entire software stack?

    1. sin

      Re: Any option for custom firmware

      Maybe they will release all of the souce code once the phones become EoL, just like the MS did with DOS 4.0... in just about 30-40 years.

  8. harrys

    Piffle and balderdash

    Is it just me....

    during my career the pile of perfectly working but out of support equipment is absolutely huge and every time something like this happens, i just find it a sickening waste

    companies should be forced to open up the firmware to third parties but that aint gonna happen whilst everything is so bloody cheap to produce

    its come to the point now where the downsides of global capitalism far outweigh the benefits it gave us over the last few decades

    hopefully.... i.e. aint never gonna happen :) .....increasing climate change/instability will make the cost of transporting goods sky rocket, and so force the rise of localized circular economies

    a bitter pill to swallow, but one that is sorely needed

    1. An_Old_Dog Silver badge

      Transportation Costs

      ... are a tiny fraction of the cost you pay for goods.

      I don't see how climate change/instability would change that.

      If oil prices go up substantially, shipping companies might well shift back to wind power, which would add large variances to shipping times. That would break the "just-in-time" parts delivery model modern manufacturers use. In turn, that would mean more warehouses would be built to buffer against delivery time variations. And that means end-user prices would go up.

      1. Sceptic Tank Silver badge
        Coat

        Re: Transportation Costs

        Wind powered ships? Hasn't that been done?

        Mine's the one with the VOC scrip in the pockets.

        (I just learned something. Johan van Oldenbarnevelt founded the VOC. Lost his head later in life. For the longest time I've been wondering why my surname could not be something cool like Van Oldenbarnevelt).

  9. martinusher Silver badge

    But its a phone....

    Continually obsoleting stuff for no reason at all makes me reluctant to buy new things. Taking a traditional phone as an example those things are still functional decades after they were first put into service. As soon as something's made 'smart' it tends to acquire surplus functionality and inevitably premature obsolescence. That's not smart; that's just dumb marketing that's unable to conceive of anything other than 'more of the same'.

    (Before everyone dumps on me because I'm old fashioned etc. I'll say that I've always been an advocate for leading edge technologies. They just need to be appropriately used. There are lots of common things in our lives that just work and adding sensors, actuators and a processor doesn't actually improve them (and adding Internet connectivity definitely doesn't improve them). If you want to experiment with connecting everything, everywhere by all means. Just don't expect me to spend money for it.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like