Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA).
Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication.
Insufficient input validation, Cisco explains, allows an attacker to send crafted H.323 traffic to a vulnerable device and cause it to reboot, either normally or in maintenance mode, thus creating a DoS condition.
Cisco patched the security hole with TelePresence CE releases 9.15.10.8 and 10.11.2.2 and with the RoomOS January 2022 release.
Another high-severity vulnerability that Cisco addressed this week is CVE-2022-20732 (CVSS score of 7.8), which is described as an elevation of privilege issue in the company’s Virtualized Infrastructure Manager (VIM) product.
Improper access permissions in VIM allow an authenticated, local attacker to access specific configuration files they should not have access to. The attacker could then obtain internal database credentials and use them to view and modify database contents.
“The attacker could use this access to the database to elevate privileges on the affected device,” Cisco says.
The vulnerability was resolved with the release of Virtualized Infrastructure Manager Software version 4.2.2. If updating to a patched release is not possible, users should connect to the device’s CLI as root and secure permissions to the affected files, the tech giant notes in its advisory.
This week, Cisco also removed a static SSH host key in Umbrella virtual appliance (VA) release 3.3.2, which could be abused by an unauthenticated, remote attacker to impersonate a VA.
“An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA,” Cisco says.
Cisco also fixed roughly ten medium-severity vulnerabilities this week, including cross-site scripting (XSS), arbitrary file read, file decryption bypass, DoS, SQL injection, and cross-site request forgery (CSRF) bugs.
Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks
Related: NSA Informs Cisco of Vulnerability Exposing Nexus Switches to DoS Attacks
Related: Cisco Patches Critical Vulnerabilities in Expressway, TelePresence VCS Products
More from Ionut Arghire
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
Latest News
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
