Re: Zero-day vulnerab - Cisco IP Phones 7800 and 8800 Series

Leonardo Marciano · ‎01-12-2023

Hello everyone.
any updates on the case below?

Cisco Unveils Zero-Day High Gravity IP Phone with Exploit Code
Cisco today disclosed a high severity zero-day vulnerability affecting the latest generation of its IP phones and exposing them to remote code execution and denial of service (DoS) attacks.
The company warned on Thursday that its Product Security Incident Response Team (PSIRT) is "aware that proof-of-concept exploit code is available" and that the "vulnerability has been publicly discussed."
However, Cisco's PSIRT added that it is not yet aware of any attempts to exploit this security flaw in attacks.
Cisco did not release security updates to address this bug prior to disclosure and says a patch will be available in January 2023.
CVE-2022-20968, as the security flaw is traced, is caused by insufficient input validation of incoming Cisco Discovery Protocol packets, which unauthenticated adjacent attackers can exploit to trigger a stack overflow.
Affected devices include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.

Georg Pauwen · ‎01-12-2023

Hello,

no fix yet (other than the recommendation to disable CDP and enable LLDP)...

Leo Laohoo · ‎01-12-2023

@Leonardo Marciano wrote:

Cisco's PSIRT added that it is not yet aware of any attempts to exploit this security flaw in attacks.

There are no indication(s) this vulnerability is being actively exploited and there are no signs of any proof-of-concept released. That said, the patch should be out in the next two weeks.

Leonardo Marciano · ‎01-13-2023

Hi @Leo Laohoo and @Georg Pauwen .

Really tks for answers