Cisco disclosed a critical security bug in its latest IP phone, Series 7800 and 8800, that may let attackers exploit the devices for conducting DoS attacks.
The input validation vulnerability hasn’t got a patch yet, which Cisco promised to bring next month. Until then, the company announced a mitigation solution and warned users to apply it after testing its effectiveness.
RCE Bug in Cisco IP Phones
Cisco, the networking giant, has today disclosed a critical security vulnerability in its IP phones series 7800 and 8800 (running firmware v14.2 and older), where any hacker exploiting it successfully gain executes arbitrary code remotely and leverages the compromised devices from DoS attacks.
As noted by Cisco’s Product Security Incident Response Team (PSIRT), the concerned bug (tracked as CVE-2022-20968) is triggered by Cisco Discovery Protocol packets on receiving insufficient input validation requests. This opens an unauthenticated path for adjacent attackers to exploit and trigger a stack overflow.
The Cisco team said they’re aware of a proof-of-concept exploit code in the wild and the vulnerability being publicly discussed. Confirming that there are no attempts of exploitation recorded yet, the company said a patch for this will arrive in January 2023.
Until then, Cisco suggested users disable the Discovery Protocol on affected IP Phone 7800 and 8800 Series devices and let them operate on the Link Layer Discovery Protocol (LLDP) for neighbor discovery.
“Devices will then use LLDP for the discovery of configuration data such as voice VLAN, power negotiation, and so on.”
Well, the company warned customers (especially the system admins at enterprises) to test this workaround effectively before deploying. It said, “any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to the such environment”.