Vulnerability Details : CVE-2019-1683
A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device. Affected software include version 7.6.2 of the Cisco Small Business SPA525 Series IP Phones and Cisco Small Business SPA5X5 Series IP Phones and version 1.4.2 of the Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA112 Series IP Phones.
Products affected by CVE-2019-1683
- cpe:2.3:o:cisco:spa500_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa501g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa502g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa504g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa508g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa509g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa512g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa514g_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa500s_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa500ds_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa112_firmware:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa525_firmware:7.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa5x5_firmware:7.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:spa525g_firmware:1.4.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1683
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1683
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
2.2
|
4.2
|
Cisco Systems, Inc. | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST |
CWE ids for CVE-2019-1683
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2019-1683
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ipphone-certs
Cisco SPA112, SPA525, and SPA5x5 Series IP Phones Certificate Validation VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/107111
Cisco SPA112, SPA525 and SPA5x5 Series IP Phone Certificate Validation Security Bypass VulnerabilityBroken Link;Third Party Advisory;VDB Entry
Jump to