Cisco today disclosed a serious vulnerability in its latest IP phone generation that could expose them to remote code execution (DoS), and other attacks.
On Thursday, the company stated that it was aware that proof-of concept exploit code exists and that this vulnerability has been discussed publicly.
Cisco’s PSIRT stated that they are not aware of any attacks seeking to exploit the flaw.
Cisco did not release security updates for this issue prior to disclosure, but it stated that they would make a patch available in January 2023.
CVE-2022-0968 is the security vulnerability. It is due to insufficient input validation for received Cisco Discovery Protocol packets. This allows unauthenticated attackers to exploit it and trigger a stack overload.
Cisco IP phones with versions 14.2 or earlier are affected.
Qian Chen, of QI-ANXIN Group’s Codesafe Team of Legendsec reported the vulnerability to Cisco.
Mitigation available for some devices
Although a CVE-20222-20968 security update or workaround is not available yet, Cisco offers mitigation advice to administrators who wish to protect vulnerable devices from possible attacks.
It is necessary to disable the Cisco Discovery Protocol for affected IP Phone 7800 series devices.
In a Thursday security advisory, Cisco stated that devices will use LLDP to discover configuration data, such as power negotiation and voice VLAN.
This is not an easy change. Enterprises will need to be diligent in evaluating the potential effects on devices and determining the best way to implement this change within their organization.
Administrators who wish to use this mitigation should test it’s effectiveness and suitability in their specific environment.
Cisco advised customers that they should evaluate the impact on their environment before deploying any mitigations or workarounds.