CVE-2021-1379

Name of the Vulnerable Software and Affected Versions: Cisco IP Phone Series 68xx/78xx/88xx (affected versions not specified)

Description: The issue is related to multiple vulnerabilities in the Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) implementations. These vulnerabilities could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP phone. The vulnerabilities are due to missing checks when the IP phone processes a Cisco Discovery Protocol or LLDP packet. An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol or LLDP packet to the targeted IP phone, potentially allowing the attacker to execute code on the affected IP phone or cause it to reload unexpectedly, resulting in a denial of service (DoS) condition. Note that to exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Recommendations: For Cisco IP Phone Series 68xx/78xx/88xx, update to the latest software version that addresses these vulnerabilities. As a temporary workaround, consider restricting access to the Cisco Discovery Protocol and LLDP implementations until a patch is available. Restrict access to the affected IP phones to minimize the risk of exploitation. At the moment, there is no information about additional mitigation measures.