Cisco patches denial of service flaw affecting VoIP Phones

News by Bradley Barth

Cisco patched a High severity IPv4 Fragmentation vulnerability which could result in a denial of service along with three other Medium severity bugs.

Also in:

Cisco patched a High severity IPv4 Fragmentation vulnerability which could result in a denial of service along with three other Medium severity bugs.

The High security vulnerability (CVE-2018-0369) affected Cisco VoIP phones and was the result of improper handling of fragmented IPv4 packets containing options which could be exploited by an attacker if they sent a malicious IPv4 packet across an affected device.

"A vulnerability in the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms could allow an unauthenticated, remote attacker to trigger a reload of the npusimprocess, resulting in a denial of service (DoS) condition," the advisory said.

This vulnerability affects IP Phone 6800, 7800 and 8800 series devices that run a Multiplatform Firmware released prior to Release 11.2(1).

The medium severity vulnerabilities include a FireSIGHT system software file policy bypass vulnerability, a FireSIGHT system software URL-based access control policy bypass vulnerability, and a web security appliance cross-site scripting vulnerability.

There are no workarounds to address any of the vulnerabilities and patches addressing the flaws were released on Wednesday.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events