Dump these insecure phone adapters because we're not fixing them, says Cisco

There is a critical security flaw in a Cisco phone adapter, and the business technology giant says the only step to take is dumping the hardware and migrating to new kit.

In an advisory, Cisco this week warned about the vulnerability in the SPA112 2-Port Adapter that, if exploited, could allow a remote attacker to essentially take control of a compromised device by seizing full privileges and executing arbitrary code.

The flaw, tracked as CVE-2023-20126, is rated as "critical," with a base score of 9.8 out of 10.

Adding to the problem is the fact that the adapter reached its end of life in June 2020, and while the last date to extend or renew a service contract for the product isn't until August 2024, Cisco said in the advisory it will not release firmware updates to address the flaw and there are no workarounds.

"Customers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter," the manufacturer wrote in its advisory.

The Register has asked Cisco for more information, and will update the story if a response comes in.

The flaw is in the web-based management interface for the two-port adapter, which is used by organizations to connect analog phones and fax machines (please don't ask us to explain what those are) to voice-over-IP systems without having to upgrade them.

The vulnerability stems from a missing authentication process in the firmware upgrade function, according to Cisco.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company wrote. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

• Cisco kindly reveals proof of concept attacks for flaws in rival Netgear's kit
• April Patch Tuesday: Ransomware gangs already exploiting this Windows bug
• Switchzilla revisits training and cert tools with looming debut of 'Cisco U.'
• Burn, backlog, burn: Cisco inferno clears away supply chain hassles

DBAPPsecurity, a network security company in China, alerted Cisco to the vulnerability, according to the network box maker. Cisco's Product Security Incident Response Team (PSIRT) doesn't know of any exploitation of the vulnerability.

The ATA 190 Series adapter has been available for almost a decade and, like the SPA112 adapter, enables enterprises to turn analog devices like phones, fax machines, and paging systems into IP devices. They can then be used by companies with enterprise networks, small offices, and unified communications-as-a-service cloud operations.

We note that the 190 specifically has its own final updates scheduled for March 2024; Cisco recommends people use the ATA 191 and later models.

Before migrating to whichever new adapter, organizations should make sure the device will address their network needs and that their hardware and software configurations are supported by the device, Cisco wrote.

While there doesn't seem to have been attacks exploiting the vulnerability in the wild, upgrading to still-supported adapters would make sense. Cisco's Talos threat intelligence unit said last month that Russian intelligence operatives, working under the APT28 threat group umbrella, in 2021 exploited an old vulnerability in Cisco routers to gather network data from US and European government agencies.

Cisco had issued a fix for the flaw in 2017, though some routers remain unpatched. Talos said miscreants are only getting better and better at their attacks on networks, including exploiting known flaws in vulnerable devices. ®