Cisco today disclosed a high-severity, zero-day vulnerability affecting the latest generation of its IP phones and exposing them to remote code execution and denial of service (DoS) attacks.
The company warned Thursday that its Product Security Incident Response Team (PSIRT) is “aware that proof-of-concept exploit code is available” and that “the vulnerability has been publicly discussed.”
However, Cisco’s PSIRT added that it was not yet aware of any attempts to exploit this security flaw in attacks.
Cisco did not release security updates to address this bug prior to disclosure and indicates that a fix will be available in January 2023.
CVE-2022-20968, as the security flaw is tracked, is caused by insufficient input validation of received Cisco Discovery Protocol packets, which unauthenticated adjacent attackers can exploit to trigger a stack overflow.
Affected devices include Cisco IP phones running 7800 and 8800 series firmware versions 14.2 and earlier.
The vulnerability was reported to Cisco by Qian Chen of QI-ANXIN Group’s Legendsec Codesafe Team.
Attenuation available for some devices
Although a security update to address CVE-2022-20968 or a workaround is not yet available, Cisco is providing mitigation guidance for administrators who want to protect vulnerable devices in their environment from potential attacks.
This requires disabling the Cisco discovery protocol on affected 7800 and 8800 series IP phones that also support Link Layer Discovery Protocol (LLDP) for neighbor discovery.
“Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, etc.,” Cisco said. Explain in a security advisory released Thursday.
“This is not a trivial change and will require due diligence on the part of the business to assess any potential impact to devices as well as the best approach to rolling out this change to their business.”
Administrators who wish to deploy this mitigation are encouraged to test its effectiveness and applicability for their environment.
Cisco warned that “customers should not deploy workarounds or mitigations until they first evaluate the applicability to their own environment and any impact to that environment.”