Cisco IP Phone Forced Reboot

• Vulnerability:

• • SCCP runs on TCP which is vulnerable to reset attacks
  • If a phone’s signaling channel is terminated this way the phone performs a full reboot
  • As of firmware 8.0(7.0) (most recent for 7940, 8.3.3 not avail)
  • Public Disclosure: 04/20/2004
  • http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml

• Attack:

• • Inject a RST packet into the signaling channel

• Effects:

• • The IP phone performs a full reboot
  • Service is unavailable while doing so