Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Virtual Conference Software Vulnerability Reported by NSA

Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA).

Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA).

Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication.

Insufficient input validation, Cisco explains, allows an attacker to send crafted H.323 traffic to a vulnerable device and cause it to reboot, either normally or in maintenance mode, thus creating a DoS condition.

Cisco patched the security hole with TelePresence CE releases 9.15.10.8 and 10.11.2.2 and with the RoomOS January 2022 release.

Another high-severity vulnerability that Cisco addressed this week is CVE-2022-20732 (CVSS score of 7.8), which is described as an elevation of privilege issue in the company’s Virtualized Infrastructure Manager (VIM) product.

Improper access permissions in VIM allow an authenticated, local attacker to access specific configuration files they should not have access to. The attacker could then obtain internal database credentials and use them to view and modify database contents.

“The attacker could use this access to the database to elevate privileges on the affected device,” Cisco says.

The vulnerability was resolved with the release of Virtualized Infrastructure Manager Software version 4.2.2. If updating to a patched release is not possible, users should connect to the device’s CLI as root and secure permissions to the affected files, the tech giant notes in its advisory.

Advertisement. Scroll to continue reading.

This week, Cisco also removed a static SSH host key in Umbrella virtual appliance (VA) release 3.3.2, which could be abused by an unauthenticated, remote attacker to impersonate a VA.

“An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA,” Cisco says.

Cisco also fixed roughly ten medium-severity vulnerabilities this week, including cross-site scripting (XSS), arbitrary file read, file decryption bypass, DoS, SQL injection, and cross-site request forgery (CSRF) bugs.

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: NSA Informs Cisco of Vulnerability Exposing Nexus Switches to DoS Attacks

Related: Cisco Patches Critical Vulnerabilities in Expressway, TelePresence VCS Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.