CVE-2019-1683 — Improper Certificate Validation in Cisco Small Business Spa112 Series IP Phones

CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.4HIGHNVD

EPSS

0.2%

top 62.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Small Business Spa112 Series IP Phones Cisco Small Business Spa500 Series IP Phones Cisco Small Business Spa525 Series IP Phones +15 more

Timeline

PublishedFeb 25

Latest updateMay 13

Description

A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could all…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages18 packages

▶CVEListV5cisco/cisco_small_business_spa112_series_ip_phones1.4.2

▶CVEListV5cisco/cisco_small_business_spa525_series_ip_phones7.6.2

▶CVEListV5cisco/cisco_small_business_spa5x5_series_ip_phones7.6.2

▶CVEListV5cisco/cisco_small_business_spa500_series_ip_phones1.4.2

▶NVDcisco/spa112_firmware1.4.2

🔴Vulnerability Details

GHSA

GHSA-jhfq-9hcr-5qqv: A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote↗2022-05-13

▶

CVEList

Cisco SPA112, SPA525, and SPA5x5 Series IP Phones Certificate Validation Vulnerability↗2019-02-25

▶

📋Vendor Advisories

Cisco

Cisco SPA112, SPA525, and SPA5x5 Series IP Phones Certificate Validation Vulnerability↗2019-02-20

▶

💬Community

Bugzilla

CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions↗2018-10-18

▶