Cisco Warns of High-Severity Unpatched Flaw Affecting IP Phones Firmware

Dec 10, 2022Ravie LakshmananEnterprise Security / IP Phones

Cisco has released a new security advisory warning of a
high-severity flaw affecting IP Phone 7800 and 8800 Series firmware
that could be potentially exploited by a remote attacker to cause
remote code execution or a denial-of-service (DoS) condition.

The networking equipment major said it’s working on a patch to
address the vulnerability, which is tracked as
CVE-2022-20968 (CVSS score: 8.1) and stems from a
case of insufficient input validation of received Cisco Discovery
Protocol (CDP) packets.

CDP is a proprietary ^[1]
network-independent protocol ^[2] that is used for
collecting information related to nearby, directly connected
devices such as hardware, software, and device name, among others.
It’s enabled by default.

“An attacker could exploit this vulnerability by sending crafted
Cisco Discovery Protocol traffic to an affected device,” the
company said ^[3]
in an alert published on December 8, 2022.

“A successful exploit could allow the attacker to cause a stack
overflow, resulting in possible remote code execution or a denial
of service (DoS) condition on an affected device.”

Cisco IP phones running firmware version 14.2 and earlier are
impacted. A patch is scheduled for release in January 2023, with
the company stating that there are no updates or workarounds to
remediate the issue.

However, on deployments that support both CDP and Link Layer
Discovery Protocol (LLDP ^[4]) for neighbor discovery,
users can opt to disable CDP so that the affected devices switch to
LLDP for advertising their identity and capabilities to directly
connected peers in a local area network (LAN).

“This is not a trivial change and will require diligence on
behalf of the enterprise to evaluate any potential impact to
devices as well as the best approach to deploy this change in their
enterprise,” the company said.

It further warned that it’s aware of the availability of a
proof-of-concept (PoC) exploit and that the shortcoming has been
publicly disclosed. There’s no evidence that the vulnerability has
been actively abused in the wild to date.

Qian Chen from the Codesafe Team of Legendsec at Qi’anxin Group
has been credited with discovering and reporting the
vulnerability.

Found this article interesting? Follow us on Twitter ^[5]
and LinkedIn ^[6]
to read more exclusive content we post.

References

^{^}
proprietary
(learningnetwork.cisco.com)
^{^}
network-independent protocol
(www.cisco.com)
^{^}
said
(tools.cisco.com)
^{^}
LLDP
(en.wikipedia.org)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)