HQ/EMEAFind out how we can help your business
In their announcement earlier this week, Cisco revealed a high-severity zero-day flaw that impacts the latest generation of their IP phone. Based on reports, the zero-day vulnerability could expose their IP phones to denial of service (DoS) and remote code execution (RCE) attacks.
The company said that its response team is aware of the proof-of-concept (PoC) exploit code, and its management has publicly discussed the vulnerability. However, Cisco’s response team added that it is not yet aware of any attempted exploit against their security flaw from any threat group.
The company still needs to release security updates to address the zero-day vulnerability but targeting to deploy the fix as early as January next year.
The zero-day exploit in the IP phone of Cisco is due to insufficient input validation.
The security flaw in Cisco’s IP phone is tracked as CVE-2022-20968. The vulnerability is an insufficient input validation of received Cisco Discovery Protocol packets. The attackers could exploit the flaw if unauthenticated, which could cause a stack overflow.
The impacted device of the current exploit includes Cisco IP phones that run from 7800 and 8800 Series firmware version 14.2 or earlier.
As of now, there is no available update to patch the CVE-2022-20968, but Cisco has provided security suggestions for admins who want to ensure the well-being of their devices and avoid issues for their environment.
The mitigation tactic requires a user to disable the Cisco Discovery Protocol on infected IP phones supporting Link Layer Discovery Protocol for adjacent discovery.
Unfortunately, the company explained that the mitigation tactic is not an easy change and will require the user’s diligence in evaluating any possible impact on the IP devices.
In addition, company admins who want to execute the mitigation tactics should test their applicability and effectiveness for their landscape. The company announced that customers should only launch any workarounds or mitigation strategies if they have evaluated their applicability to their environment since they may cause problems if inappropriately addressed.
