Cisco logo
Exploits and vulnerabilities | News

Update now! Cisco fixes several vulnerabilities

Posted: March 4, 2022 by Pieter Arntz

Cisco has released a security advisoryabout two vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). The flaws could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

CVE-2022-20754

The first vulnerability exists in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.

CVE-2022-20755

The second vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS. This vulnerability is alos due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.

Mitigation

The following products are affected by these vulnerabilities:

  • Cisco Expressway: X14.0.3 – X14.0.4
  • TelePresence Video Communication Server (VCS): X14.0.3 – X14.0.4

For these two vulnerabilities there are no workarounds. The only way to address them is to install the free software updatesprovided by Cisco. Both vulnerabilities received CVSS scoresof 9 out of 10 and are rated critical. Therefore, customers are urged to update to the latest versions as soon as possible.

Known exploited vulnerabilities catalog

The two vulnerabilities that were included in the security advisory were found during internal security testing, so there is no reason to assume that they are being exploited in the wild. The same is true for two high-severity vulnerabilities in Ultra Cloud Core – Subscriber Microservices Infrastructure (SMI) and Identity Services Engine (ISE) patched earlier. These are CVE-2022-20762(CVSS score of 7.8) and CVE-2022-20756(CVSS score of 8.6). Another vulnerability patched this week was CVE-2022-20665(CVSS score of 6.0) in the command line interface of Cisco StarOS which could allow an authenticated, local attacker to elevate privileges on an affected device.

While these vulnerabilities are not known to be exploited in the wild, looking at the catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) that covers known exploited vulnerabilitiesyou will notice that of the 95 vulnerabilities that were added yesterday, 3 March, 38 are Cisco’s.

The affected products:

  • Small Business RV160, RV260, RV340, and RV345 Series Routers
  • Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers
  • Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches
  • Catalyst 6800 Series Switches
  • Cisco IOS XE Software
  • IOS, XR, and XE Software

Some of these vulnerabilities need to be fixed by 17 March, 2022, while others have a due date of 24 March. These types of vulnerabilities are considered a frequent attack vector for threat actors and to pose a significant risk.

The Known Exploited Vulnerabilities Catalog has been established to act as a living list of known CVEs that carry significant risk to the federal government. Binding Operational Directive (BOD) 22-01requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date. Although BOD 22-01 only applies to FCEB agencies, organizations are encouraged to play along too, and reduce their exposure to cyberattacks with prompt patching of the most serious vulnerabilities.

Stay safe, everyone!

RELATED ARTICLES

Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments
week in security
News

A week in security (April 8 – April 14)

April 15, 2024 - A list of topics we covered in the week of April 8 to April 14 of 2024

CONTINUE READING 0 Comments
change social security number
News

How to change your Social Security Number

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

CONTINUE READING 0 Comments
mercenary spyware alert
News | Privacy

Apple warns people of mercenary attacks via threat notification system

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

CONTINUE READING 0 Comments
A 13-year-old girl is using her smartphone in the dark room. The content she is browsing projects in front of her.
Cybercrime | Personal

How to protect yourself from online harassment

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams