Cisco has warned that SPA112 2-Port Phone Adapters have a serious security flaw that could be used by a remote attacker to run any code on vulnerable devices. The problem, which is known as CVE-2023-20126, it also has a CVSS score of 9.8 out of a maximum of 10. Catalpa of DBappSecurity was given credit by the company for pointing out the problem.
Without upgrading their hardware, users of this solution can connect their analog phones and fax machines to a VoIP provider. “This vulnerability is caused by the fact that the firmware upgrade function does not have an authentication process,” the company said in a bulletin.
An attacker sees this flaw and decides to manipulate things by updating a device to a specially made version of the software. If the attack worked, the attacker could run any code on the vulnerable device with full access.
Even though the flaw is serious, the company that makes networking equipment said it has no plans to fix it because the devices have reached the end of life (EoL) as of June 1, 2020.
It instead suggests that users switch to a Cisco ATA 190 Series Analog Telephone Adapter, which won’t get any more updates after March 31, 2024. There is no evidence to back up the fact that the flaw has been used for bad purposes in the real world.
Why Does Phone Adapters Reach End of Life
With constant advancement, we rely heavily on technology. One of the gadgets we use the most is our smartphones. However, even the best technology has a lifespan, and phone adapters are no exception.
- Components Wear Out:
Phone adapters are made up of capacitors, diodes, and transistors that have a limited lifespan. As these components are used over time, they can begin to degrade, leading to reduced efficiency and longer charging times. Once the components wear out completely, the adapter will stop working altogether.
- Heat Damage:
When you charge your phone, the adapter converts the high voltage of the power supply into a lower voltage suitable for your phone. This conversion generates heat, which can cause the components inside the adapter to become damaged over time. The heat generated by the adapter can cause solder joints to crack or weaken, causing electrical connections to fail.
- Wear and Tear of Cables:
Phone adapters are connected to cables that can become frayed and damaged over time. Frayed cables can cause a short circuit, which can damage the adapter’s components or even lead to a fire hazard. Even if the cables are not visibly damaged, they can still become worn and less effective at transferring power.
- Environmental Factors:
Environmental factors such as humidity and temperature can also contribute to the deterioration of phone adapters. Exposure to high temperatures, direct sunlight, or moisture can damage the adapter’s internal components, leading to failure.
- Quality of the Adapter:
The quality of the adapter can also affect its lifespan. Cheap or low-quality adapters may not be built to withstand the same number of charge cycles as higher-quality adapters. High-quality adapters may cost more, but they will last longer and are less likely to fail.
This week, Cisco warned of a critical remote code execution (RCE) flaw affecting SPA112 2-Port phone adapters, which are now out of production and no longer supported by Cisco. There is a security hole in the phone adapters’ web-based administration interface and an unauthenticated exploit with a CVSS score of 9.8 (CVE-2023-20126). Cisco’s alert states that “a missing authentication process within the firmware upgrade function” is to blame for the problem.
An attacker from afar can gain root access by upgrading a vulnerable device to specially designed firmware that takes advantage of the vulnerability. Cisco has no plans to issue firmware upgrades for the SPA112 2-Port phone adapters to fix the security hole because they are no longer supported (EoL was June 1, 2020).
Instead, clients are encouraged to switch to an ATA 190 Series analog telephone adaptor, as recommended by the tech giant. According to Cisco, the company has not received any reports of attacks using the flaw. However, exploits targeting unpatched Cisco devices have been spotted in the wild, so businesses may want to eliminate their SPA112 2-Port phone adapters.
Thanks, that is really useful information. I do have a question, as this Vulnerability is related to Web Interface being accessible by attacker, so if the device is behind NAT. Would you say is it not 100% secure but secure ?