Cisco Warns of High-Severity Unpatched Flaw Affecting IP Phones Firmware

Cyber Security

Products You May Like

Dec 10, 2022Ravie LakshmananEnterprise Security / IP Phones

Cisco has released a new security advisory warning of a high-severity flaw affecting IP Phone 7800 and 8800 Series firmware that could be potentially exploited by a remote attacker to cause remote code execution or a denial-of-service (DoS) condition.

The networking equipment major said it’s working on a patch to address the vulnerability, which is tracked as CVE-2022-20968 (CVSS score: 8.1) and stems from a case of insufficient input validation of received Cisco Discovery Protocol (CDP) packets.

CDP is a proprietary network-independent protocol that is used for collecting information related to nearby, directly connected devices such as hardware, software, and device name, among others. It’s enabled by default.

CyberSecurity

“An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device,” the company said in an alert published on December 8, 2022.

“A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.”

Cisco IP phones running firmware version 14.2 and earlier are impacted. A patch is scheduled for release in January 2023, with the company stating that there are no updates or workarounds to remediate the issue.

However, on deployments that support both CDP and Link Layer Discovery Protocol (LLDP) for neighbor discovery, users can opt to disable CDP so that the affected devices switch to LLDP for advertising their identity and capabilities to directly connected peers in a local area network (LAN).

“This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise,” the company said.

It further warned that it’s aware of the availability of a proof-of-concept (PoC) exploit and that the shortcoming has been publicly disclosed. There’s no evidence that the vulnerability has been actively abused in the wild to date.

Qian Chen from the Codesafe Team of Legendsec at Qi’anxin Group has been credited with discovering and reporting the vulnerability.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Oppo Find X8 Series Tipped to Offer an Extra Button for Quick Actions
iPhone 16 Pro Max Leaked Dummy Unit Offers Glimpse at New Desert Titanium Colourway
Realme 13 5G, Realme 13+ 5G With 80W Fast Charging Launched in India: Price, Offers, Specifications
Cryptocurrencies tumble amid a wave of long liquidations, bitcoin falls under $60,000
NASA Researcher to Study Gravity’s Impact on Plants Aboard Blue Origin’s Suborbital Rocket

Leave a Reply

Your email address will not be published. Required fields are marked *