CVE-2024-20463
📋 TL;DR
This vulnerability in Cisco ATA 190 Series Analog Telephone Adapters allows unauthenticated remote attackers to modify device configuration or reboot devices via malicious HTTP GET requests to the web management interface. This affects organizations using vulnerable firmware versions of these VoIP adapters, potentially causing service disruption.
💻 Affected Systems
- Cisco ATA 190 Series Analog Telephone Adapter
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker repeatedly reboots critical VoIP devices, causing extended denial of service for phone services across an organization.
Likely Case
Limited configuration changes or temporary device reboots disrupting individual phone lines until manual intervention.
If Mitigated
No impact if devices are patched or properly segmented from untrusted networks.
🎯 Exploit Status
Simple HTTP GET request manipulation required, no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware 12.0(1)SR1 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy
Restart Required: Yes
Instructions:
1. Download firmware 12.0(1)SR1 or later from Cisco. 2. Access device web interface. 3. Navigate to Administration > Software Upgrade. 4. Upload and install new firmware. 5. Reboot device after installation.
🔧 Temporary Workarounds
Disable web management interface
allPrevents exploitation by disabling the vulnerable HTTP server component
Configure via device CLI: no ip http server
Or via web interface: Administration > Management > disable HTTP/HTTPS
Network segmentation
allRestrict access to management interface to trusted networks only
Configure firewall rules to block external access to port 80/443 on ATA devices
Implement VLAN segmentation for management traffic
🧯 If You Can't Patch
- Implement strict network access controls to limit management interface exposure
- Monitor for suspicious HTTP GET requests to device management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (Status > System Information) or CLI (show version). If version is below 12.0(1)SR1, device is vulnerable.Check Version:
show version (CLI) or check web interface Status > System InformationVerify Fix Applied:
Confirm firmware version is 12.0(1)SR1 or later and test that HTTP GET requests no longer cause state changes.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP GET requests to management interface
- Multiple device reboots in short time period
- Configuration changes from unauthenticated sources
Network Indicators:
- HTTP GET requests with parameter manipulation to ATA management ports
- Traffic from unexpected sources to device management interfaces
SIEM Query:
source_ip=* AND dest_port IN (80,443) AND http_method=GET AND dest_ip IN (ATA_DEVICE_IPS) AND (uri CONTAINS "reboot" OR uri CONTAINS "config")