Cisco has discovered a high-severity issue affecting its IP Phone 7800 and 8800 Series, tracked as CVE-2022-20968 (excluding Cisco Wireless IP Phones 8821).
An unauthenticated, adjacent attacker might exploit the flaw to cause program flow overruns on a large affected device, which might result in remote code execution (RCE) and denial of service (DoS) attacks.
This vulnerability exists because insufficiently validated Cisco Discovery Protocol packets are received as input. An attacker could exploit this vulnerability by crafting malformed Cisco Discovery Protocol traffic and sending it to an affected device.
A successful exploit can allow an attacker to cause a crash, allowing remote code execution or a denial of service (DoS) scenario on an affected system, reads the advisory published by the company.
The following Cisco products are affected by this vulnerability:
While no workarounds exist for this issue, we are working to solve it.
Cisco Discovery Protocol may be disabled on the affected IP Phone 7800 and 8800 Series by the administrator.
Incorporating configuration information gathered by LLDP is a condition for discovering additional information on this website, such as voice VLAN, IP address, or location.
The business should remain vigilant when determining how much they need to apply within the organization and any potential health effects.
Cisco encourages customers to assess the applicability and impact of their network configurations in their own specific geographic and use case environments. They should also be aware that, depending on what workarounds or mitigations they produce, customer networks could be harmed or impaired.
It’s important to consider any alternatives for individual environments and any potential side effects before deploying them.
Cisco has announced that a patch for this vulnerability is scheduled for January 2023, but has not yet released any security upgrades to address it.
Found this article interesting? Follow Terraeagle on Facebook, Twitter and LinkedIn to read more exclusive content we post.