Vulnerability Description
The debug console interface on Cisco Small Business SPA300 and SPA500 phones does not properly perform authentication, which allows local users to execute arbitrary debug-shell commands, or read or modify data in memory or a filesystem, via direct access to this interface, aka Bug ID CSCun77435.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Spa 301 1 Line Ip Phone | All versions |
| Cisco | Spa 303 3 Line Ip Phone | All versions |
| Cisco | Spa 501G 8-Line Ip Phone | All versions |
| Cisco | Spa 502G 1-Line Ip Phone | All versions |
| Cisco | Spa 504G 4-Line Ip Phone | All versions |
| Cisco | Spa 508G 8-Line Ip Phone | All versions |
| Cisco | Spa 509G 12-Line Ip Phone | All versions |
| Cisco | Spa 512G 1-Line Ip Phone | All versions |
| Cisco | Spa 514G 4-Line Ip Phone | All versions |
| Cisco | Spa 525G 5-Line Ip Phone | All versions |
| Cisco | Spa 525G2 5-Line Ip Phone | All versions |
| Cisco | Spa901 1-Line Ip Phone | All versions |
| Cisco | Spa922 1-Line Ip Phone With 1-Port Ethernet | All versions |
| Cisco | Spa941 4-Line Ip Phone With 1-Port Ethernet | All versions |
| Cisco | Spa942 4-Line Ip Phone With 2-Port Switch | All versions |
| Cisco | Spa962 6-Line Ip Phone With 2-Port Switch | All versions |
Related Weaknesses (CWE)
References
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3312Vendor Advisory
- http://www.securityfocus.com/bid/68465
- http://www.securitytracker.com/id/1030552
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94421
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3312Vendor Advisory
- http://www.securityfocus.com/bid/68465
- http://www.securitytracker.com/id/1030552
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94421
FAQ
What is CVE-2014-3312?
CVE-2014-3312 is a vulnerability with a CVSS score of 6.9 (MEDIUM). The debug console interface on Cisco Small Business SPA300 and SPA500 phones does not properly perform authentication, which allows local users to execute arbitrary debug-shell commands, or read or mo...
How severe is CVE-2014-3312?
CVE-2014-3312 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3312?
Check the references section above for vendor advisories and patch information. Affected products include: Cisco Spa 301 1 Line Ip Phone, Cisco Spa 303 3 Line Ip Phone, Cisco Spa 501G 8-Line Ip Phone, Cisco Spa 502G 1-Line Ip Phone, Cisco Spa 504G 4-Line Ip Phone.