VULHUB ™

The Cisco IP Phone 7960 uses TFTP (Trivial File Transfer Protocol) to download firmware images and configuration files. TFTP does not provide authentication. Firmware images are not signed, so there is no way for a client to determine that firmware is authentic. Firmware images with a higher version number are trusted by the vulnerable devices and will be retrieved and installed automatically when the devices are booted. This process is done transparently, without any user interaction. If the attacker can compromise the TFTP server, then it is possible to cause malicious firmware to be installed in vulnerable devices. It is also possible to exploit this weakness if the attacker has control over a server which appears to the device to be the authentic TFTP server. It is also theoretically possible for an attacker to substitute a malicious configuration file by exploiting this weakness.

The Cisco IP Phone 7960 uses TFTP (Trivial File Transfer Protocol) to download firmware images and configuration files. TFTP does not provide authentication. Firmware images are not signed, so there is no way for a client to determine that firmware is authentic. Firmware images with a higher version number are trusted by the vulnerable devices and will be retrieved and installed automatically when the devices are booted. This process is done transparently, without any user interaction. If the attacker can compromise the TFTP server, then it is possible to cause malicious firmware to be installed in vulnerable devices. It is also possible to exploit this weakness if the attacker has control over a server which appears to the device to be the authentic TFTP server. It is also theoretically possible for an attacker to substitute a malicious configuration file by exploiting this weakness.