Cisco VoIP phones with 802.1x authentication contain a flaw that may allow a malicious user to connect anonymously to the voice VLAN. The issue is triggered when a spoofed Cisco Discovery Protocol packet is sent through the Cisco IP phone to a switch which supports both 802.1x authentication and Cisco VoIP phones. It is possible that the flaw may allow 802.1x authentication to the voice VLAN rather than the data VLAN, resulting in a loss of confidentiality, and/or integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
For switches with newer versions of CatOS software, DHCP snooping, port security, Dynamic ARP Inspection (DAI) and IP Source Guard may help to limit the scope of data link layer attacks. Cisco recommends that the user read their "Cisco Catalyst Integrated Security-Enabling the Self-Defending Network" whitepaper. Certificate-based authentication and encryption of voice signaling and media are available on newer versions of Cisco CallManager. Cisco also recommends that the user read the product data sheet for Cisco CallManager Version 4.1 for further information.