"Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters"

Cisco recently announced patches for eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity flaws leading to configuration changes and cross-site request forgery (CSRF) attacks.  The first high-severity flaw, CVE-2024-20458, impacts the web-based management interface of the firmware and exists because specific HTTP endpoints lack authentication, allowing remote, unauthenticated attackers to browse to a specific URL and view or delete configurations or modify the firmware.  The second high-severity issue is tracked as CVE-2024-20421 and allows remote, unauthenticated attackers to conduct CSRF attacks and perform arbitrary actions on vulnerable devices.  Cisco noted that an attacker can exploit the security defect by convincing a user to click on a crafted link.  Cisco also patched CVE-2024-20459, a medium-severity vulnerability that could allow remote, authenticated attackers to execute arbitrary commands with root privileges.  Cisco noted that the remaining five security defects, all medium severity, could be exploited to conduct cross-site scripting (XSS) attacks, execute arbitrary commands as root, view passwords, modify device configurations or reboot the device, and run commands with administrator privileges.  Patches for these bugs were included in firmware version 12.0.2 for the ATA 191 analog telephone adapters, and firmware version 11.2.5 for the ATA 191 and 192 multiplatform analog telephone adapters.  Cisco did not mention if these vulnerabilities are being exploited in the wild.  

SecurityWeek reports: "Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters"