CVE-2019-1683
7.4
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitability: 2.2 / Impact: 5.2
Source: NVD
Description
A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device. Affected software include version 7.6.2 of the Cisco Small Business SPA525 Series IP Phones and Cisco Small Business SPA5X5 Series IP Phones and version 1.4.2 of the Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA112 Series IP Phones.
Affected (14)
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa112 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 7.6.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa525 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Version 7.6.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa5x5 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa500 | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa500s | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa500ds | All versions |
Configuration G
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa501g | All versions |
Configuration H
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa502g | All versions |
Configuration I
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa504g | All versions |
Configuration J
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa508g | All versions |
Configuration K
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa509g | All versions |
Configuration L
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa512g | All versions |
Configuration M
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa514g | All versions |
Configuration N
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.4.2 |
| Running on/with | Platform Versions |
|---|---|
Cisco Spa525g | All versions |
References (4)
Source: psirt@cisco.com
Broken LinkThird Party AdvisoryVDB Entry
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.