CVE-2022-20968 is a new high-severity security vulnerability in Cisco IP Phone 7800 and 8800 Series firmware.
CVE-2022-20968 In Detail
The CVE-2022-20968 vulnerability could be exploited by unauthenticated threat actors in remote code execution and denial-of-service attacks. The flaw is triggered by a case of insufficient input validation of received Cisco Discovery Protocol (CDP) packets. CDP is a proprietary network-independent protocol that collects information from directly connected devices in close proximity, including hardware, software, and device name. It is also noteworthy that CDP is enabled by default.
According to the official Cisco advisory, an attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Are there any workarounds available for CVE-2022-20968?
No known workarounds have been shared that address the flaw.
However, a mitigation for deployments that support both Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) for neighbor discovery is available. First, administrators should disable Cisco Discovery Protocol on vulnerable IP Phone 7800 and 8800 Series devices.
“Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on. This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise,” the advisory added.
The company also said that this mitigation needs to be tested in customers’ own environment and conditions, since it may negatively impact the functionality or performance of their network.
“Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment,” the company explained. Free software updates that address CVE-2022-20968 will be released soon.