Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerability in Enterprise Communication Solutions

Cisco this week announced the availability of patches for a critical vulnerability in the Cisco Expressway series and TelePresence Video Communication Server (VCS) products that could allow an attacker to overwrite files on the underlying operating system with root privileges.

Cisco this week announced the availability of patches for a critical vulnerability in the Cisco Expressway series and TelePresence Video Communication Server (VCS) products that could allow an attacker to overwrite files on the underlying operating system with root privileges.

According to Cisco, the vulnerability impacts Expressway Control (Expressway-C) and Expressway Edge (Expressway-E) devices, which are meant to enable remote collaboration for both mobile users and teleworkers.

“Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device,” Cisco notes in an advisory.

Tracked as CVE-2022-20812 (CVSS score of 9.0), the critical-severity vulnerability could allow an authenticated attack that has administrator read-write privileges to overwrite files on the underlying operating system remotely, with the privileges of the root user.

The issue exists because user-supplied command arguments are not sufficiently validated, allowing an attacker to submit crafted input to the affected command.

Cisco also resolved a high-severity bug impacting the enterprise communication solutions, which could allow an unauthenticated, remote attacker to access sensitive data.

Tracked as CVE-2022-20813, the issue exists because certificates aren’t properly validated, thus allowing an attacker to set up a man-in-the-middle attack and “intercept the traffic between devices, and then using a crafted certificate to impersonate the endpoint.” The attacker could then view the intercepted traffic in clear text and could even modify the contents of the traffic.

Both issues were addressed with Cisco Expressway series and TelePresence VCS release 14.0.7 and Cisco encourages all customers to update as soon as possible.

Advertisement. Scroll to continue reading.

This week, Cisco also announced patches for a high-severity vulnerability in Smart Software Manager On-Prem (SSM On-Prem), which could allow a remote, authenticated attacker to cause a denial of service (DoS) condition. Tracked as CVE-2022-20808, the vulnerability was addressed in Cisco SSM On-Prem release 8-202112.

“This vulnerability is due to incorrect handling of multiple simultaneous device registrations on Cisco SSM On-Prem. An attacker could exploit this vulnerability by sending multiple device registration requests to Cisco SSM On-Prem,” the tech giant explains.

Cisco says it’s not aware of any of these vulnerabilities being exploited in attacks. Further information on the latest Cisco patches can be found on the company’s security portal.

Related: Cisco Patches Critical Vulnerability in Email Security Appliance

Related: Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability

Related: Cisco Patches 11 High-Severity Vulnerabilities in Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.