CVE-2019-1683

EPSS 0.17%
Published 25.02.2019 17:29:00
Last modified 21.11.2024 04:37:05
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device. Affected software include version 7.6.2 of the Cisco Small Business SPA525 Series IP Phones and Cisco Small Business SPA5X5 Series IP Phones and version 1.4.2 of the Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA112 Series IP Phones.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Spa112 Firmware Version1.4.2

Cisco ≫ Spa112 Version-

Cisco ≫ Spa525 Firmware Version7.6.2

Cisco ≫ Spa525 Version-

Cisco ≫ Spa5x5 Firmware Version7.6.2

Cisco ≫ Spa5x5 Version-

Cisco ≫ Spa500 Firmware Version1.4.2

Cisco ≫ Spa500 Version-

Cisco ≫ Spa500s Firmware Version1.4.2

Cisco ≫ Spa500s Version-

Cisco ≫ Spa500ds Firmware Version1.4.2

Cisco ≫ Spa500ds Version-

Cisco ≫ Spa501g Firmware Version1.4.2

Cisco ≫ Spa501g Version-

Cisco ≫ Spa502g Firmware Version1.4.2

Cisco ≫ Spa502g Version-

Cisco ≫ Spa504g Firmware Version1.4.2

Cisco ≫ Spa504g Version-

Cisco ≫ Spa508g Firmware Version1.4.2

Cisco ≫ Spa508g Version-

Cisco ≫ Spa509g Firmware Version1.4.2

Cisco ≫ Spa509g Version-

Cisco ≫ Spa512g Firmware Version1.4.2

Cisco ≫ Spa512g Version-

Cisco ≫ Spa514g Firmware Version1.4.2

Cisco ≫ Spa514g Version-

Cisco ≫ Spa525g Firmware Version1.4.2

Cisco ≫ Spa525g Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.384

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
psirt@cisco.com	6.5	2.2	4.2	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.securityfocus.com/bid/107111

Third Party Advisory

Broken Link

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ipphone-certs

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1683

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1683

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1683

EUVD